Re: Compromised...

[jkinney () TELLER PHYSICS EMORY EDU (Jim Kinney)]

Sorry to hear about the breakin. They can be ulcer causing events.
To shorten your reloading problem, since you have rpm capabilities, the
command "rpm -Va >verify.txt" will give you a listing of all the files
that have changed their md5 checksum from the original rpm database. Of
course, programs loaded without rpm will not be noticed.

ADMROCKS is a tell-tale sign of a bind exploit. It's difficult to keep
track of all the updates when sys-admin is only part of the job
description. There is, however, a very useful tool for rpm-based systems
called "autorpm". Essentially, it will look at a known, or given, ftp site
and automatically download any rpm's that are updates to your system. It
can be configured to check the md5checksum, signatures and auto-install or
add them to a que for later install. It also emails you to tell you what
it got and what it needs you to do about it. I expect it will become a
standard RedHat package soon. They ship now with "up2date". It works well,
but lacks the automatic aspect of autorpm.

Jim Kinney

On Mon, 7 Feb 2000, Steve Logan wrote:

> This morning I tried to ssh to a domain I host on one of my boxes.  I soon
> realized the domain wasn't resolving.  I then ssh'd to the ip of the box.
> I discovered that named wasn't running.  I restarted it.  I was curious to
> find out why it had died.  I started looking through the logs and I soon
> realized my machine had been broken into. Several binaries had been
> replaced.  (ps, ls, netstat, ...).  I replaced the ps and ls and found
> some interesting things.  There was a process running called in,telnetd
> (notice the comma).  I found this in "/usr/ /":
>
> rwxr-xr-x   2 root     root         4096 Feb  6 21:41 .
> drwxr-xr-x  20 root     root         4096 Feb  6 21:38 ..
> -rw-r--r--   1 root     root           39 Feb  6 21:38 .l
> -rw-r--r--   1 root     root           44 Feb  6 21:38 .n
> -rw-r--r--   1 root     root           31 Feb  6 21:40 .p
> -rws--x--x   1 root     root       281416 Feb  6 21:38 .tt
> -rwxr-xr-x   1 root     root       373176 Feb  6 21:38 .ttb
> -rw-r--r--   1 root     root          698 Feb  6 21:38 .ttf
> -rwxr-xr-x   1 root     root         7860 Feb  6 21:38 in,telnetd
> -rw-r--r--   1 root     root      2518030 Feb  7 10:52 sniff.log
>
> After running strings on these files it appears they are a shell program
> and password files.  The in,telnetd is logging all network traffic to
> sniff.log.  All of the log files had been modified.  History was modified.
> wtmp was modified.  inetd.conf was changed.  Several other things were
> also changed.  There was a directory called ADMROCKS in /var/named.
>
> Has anyone else experienced this?  How did they get in?  At this point I'm
> pretty sure it was through named.  How should I go about cleaning it up?
> Right now I think I'll just reinstall the RPM's off of the cd.  Will this
> be enough (along with upgrading BIND)?  If anyone could share any useful
> information please do so.
>
> Thanks,
> Steve Logan