rookits: was: Re: [TriLUG] Server DEAD!

Jeremy Portzer jeremyp at pobox.com
Thu Aug 28 16:35:46 EDT 2003


On Thu, 2003-08-28 at 16:11, auto668 at hush.com wrote:
> Ok.. more updates...
> 
> Did the following:  
> rpm --root /mnt/sysimage-q --queryformat 
> '%{NAME}-%{VERSION}-%{RELEASE}-%{ARCH}\n' glibc kernel 
> (that should all be on one line) 
> 
> Here's the output:
> glibc-2.3.2-11.9-i686
> glibc-2.3.2-11.27-i686
> kernel-2.4.20-9-i686
> kernel-2.4.20-20.9-i686
> kernel-smp-2.4.20-9-i686
> kernel-smp-2.4.20-19.9-i686
> kernel-smp-2.4.20-20.9-i686
> 
> This is an smp box.. it it 'normal' to have to glibc's listed?

No, definitely not normal to have two glibc's.  I'm not sure what would
have caused that, unless you've been installing things with ugly options
like --force.  The current glibc package for RHL 9 is glibc-2.3.2-11.27
.

> And I ram the rpm -V on the coreutils and received the following
> 
> S.5....T /bin/basename

That's not good.  It means the "size", "md5sum," and "timestamp" are all
wrong (see man rpm for the full description of the verify output).

> "        /bin/cat
> "        /bin/chgrp
> 
> For net-tools I get the following..
> S.5....T  /bin/hostname
> S.5....T  /bin/netstat
> S.5....T  /bin/ifconfig

And that's a lot worse.  The modified netstat is probably to hide
connections to/from an attacking server.  The modified ifconfig may be
to hide an interface that's in promiscious mode.

> Before I go any further.. what do you think?  rootkitted?
> 

My best guess is that you have been rootkitted.   I would try to see if
chkrootkit will run, but depending on how difficult it is to format and
restore from backups, that's probably the best solution :-(

Sometimes you can run "strings" on the compromized binaries and find
evidence of various things, like hostnames that are to be exlcuded from
netstat, etc.  A google search on some of this output may tell you a lot
more about the particular rootkit.  There seem to be an amazing number
of variations on any given rootkit, however.

Of course, it would be nice to figure out how they got in.  A common
problem is to install updated packages via up2date, or other updating
programs, but forgetting to restart the given service.  Sometimes
libraries like openssl will be used by other programs like Apache -- an
openssl update requires a restart of Apache, and all other programs
using it, before it's totally effective.

Folks -- take this as a reminder that Windows isn't the only OS that can
have security problems -- security affects all types of computing.

--Jeremy

-- 
/---------------------------------------------------------------------\
| Jeremy Portzer       jeremyp at pobox.com       trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030828/dfba64e7/attachment.pgp>


More information about the TriLUG mailing list