Security Incidents mailing list archives
Re: LJK2 rootkit?
From: chadth () OBFUSTECH COM (Chad Thunberg)
Date: Thu, 18 May 2000 14:13:11 -0700
The "^" in your logs suggests they have been edited. Since your box has been comprimised, your logs should be considered worthless. Look into running a remote syslogd box that does nothing but do logging for all your "public" servers. -Chad
-----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Felix Schueren Sent: Wednesday, May 17, 2000 10:46 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: LJK2 rootkit? First off, thanks for the replies so far. I've analyzed the logs a bit, and while I suspected being hacked through a bind exploit (the machine was running BIND 8.1.2), I found nothing to prove that: May 11 18:20:53 10550 named[19306]: starting. named 8.1.2 Thu Sep 24 02:47:08 EDT 1998 ^Iroot () porky redhat com:/usr/src/bs/BUILD/src/bin/named May 11 18:22:40 10550 named[19421]: starting. named 8.2 Wed Mar 31 10:57:12 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named May 14 19:10:30 10550 named[1918]: starting. named 8.2 Wed Mar 31 10:57:12 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named May 14 19:10:32 10550 named[1922]: starting. named 8.2 Wed Mar 31 10:57:12 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named May 14 19:10:35 10550 named[1926]: starting. named 8.2 Wed Mar 31 10:57:12 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named May 14 19:10:42 10550 named[1956]: starting. named 8.2 Wed Mar 31 10:57:12 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named May 14 20:49:39 10550 named[5266]: starting. named 8.2.2-P3 Thu Nov 11 00:04:50 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.2_P3/ src/bin/named May 14 20:49:52 10550 named[5307]: starting. named 8.2.2-P3 Thu Nov 11 00:04:50 EST 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.2_P3/ src/bin/named On May 11th, BIND 8.2 (RedHat: bind-8.2-6.i386.rpm) was installed, then on May 14th BIND 8.2.2-P3. I've checked with my colleagues, and it appears both of those installs (and the corresponding odd numbers of named restarts) were caused by them. How vulnerable would BIND 8.2 have been, and how likely is it that the intruder got in before May 11th (the first BIND update)? Here's an oddity from the older logs: ++++++++++++++++++ Jan 2 04:21:14 10550 named[251]: Cleaned cache of 9 RRs Jan 2 04:21:14 10550 named[251]: USAGE 946783274 946480873 CPU=3.06u/1.11s CHILDCPU=0u/0s Jan 2 04:21:14 10550 named[251]: NSTATS 946783274 946480873 A=2903 SOA=1386 PTR=6168 MX=55 AXFR=1 ANY=140 Jan 2 04:21:14 10550 named[251]: XSTATS 946783274 946480873 RR=1900 RNXD=128 RFwdR=967 RDupR=3 RFail=1 RFErr=0 RErr=0 RAXFR=1 RLame=376 ROpts=0 SSysQ=466 SAns=9788 SFwdQ=843 SDupQ=430 SErr=0 RQ=10653 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=51 SFwdR=967 SFail=0 SFErr=0 SNaAns=7393 SNXD=350 Jan 3 16:41:28 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.net' Jan 3 16:41:28 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.net' Jan 3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.net' Jan 3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.net' Jan 3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.net' Jan 3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.net' Jan 3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.net' Jan 3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [207.159.77.18].53 'F.GTLD-SERVERS.net' Jan 3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.net' Jan 3 16:41:31 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.net' Jan 3 16:41:31 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [195.8.99.11].53 'K.GTLD-SERVERS.net' Jan 3 16:41:32 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [198.41.0.21].53 'J.GTLD-SERVERS.net' Jan 3 16:51:15 10550 named[251]: Cleaned cache of 9 RRs Jan 3 16:51:15 10550 named[251]: USAGE 946914675 946480873 CPU=4.48u/1.59s CHILDCPU=0u/0s Jan 3 16:51:15 10550 named[251]: NSTATS 946914675 946480873 A=3980 SOA=2010 PTR=9043 MX=70 AXFR=3 ANY=209 Jan 3 16:51:15 10550 named[251]: XSTATS 946914675 946480873 RR=2616 RNXD=174 RFwdR=1405 RDupR=5 RFail=1 RFErr=0 RErr=0 RAXFR=3 RLame=408 ROpts=0 SSysQ=665 SAns=14070 SFwdQ=1234 SDupQ=497 SErr=0 RQ=15315 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=53 SFwdR=1405 SFail=0 SFErr=0 SNaAns=10733 SNXD=564 Jan 4 14:21:16 10550 named[251]: Cleaned cache of 16 RRs Jan 4 14:21:16 10550 named[251]: USAGE 946992076 946480873 CPU=5.31u/2.09s CHIL DCPU=0u/0s Jan 4 14:21:16 10550 named[251]: NSTATS 946992076 946480873 A=4561 SOA=2350 PTR=10843 MX=84 AXFR=3 ANY=249 Jan 4 14:21:16 10550 named[251]: XSTATS 946992076 946480873 RR=3057 RNXD=217 RFwdR=1688 RDupR=7 RFail=1 RFErr=0 RErr=0 RAXFR=3 RLame=432 ROpts=0 SSysQ=775 SAns=16612 SFwdQ=1471 SDupQ=553 SErr=0 RQ=18090 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=53 SFwdR=1688 SFail=0 SFErr=0 SNaAns=12795 SNXD=647 Jan 4 14:44:06 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.net' Jan 4 14:44:06 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.net' Jan 4 14:44:06 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.net' Jan 4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.net' Jan 4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [207.159.77.18].53 'F.GTLD-SERVERS.net' Jan 4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [198.41.0.21].53 'J.GTLD-SERVERS.net' Jan 4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in 'ecore.net'?): [195.8.99.11].53 'K.GTLD-SERVERS.net' Jan 4 14:51:16 10550 named[251]: Cleaned cache of 49 RRs Jan 4 14:51:16 10550 named[251]: USAGE 946993876 946480873 CPU=5.46u/2.11s CHILDCPU=0u/0s Jan 4 14:51:16 10550 named[251]: NSTATS 946993876 946480873 A=4576 SOA=2365 PTR=10891 MX=84 AXFR=3 ANY=252 Jan 4 14:51:16 10550 named[251]: XSTATS 946993876 946480873 RR=3507 RNXD=217 RFwdR=1697 RDupR=7 RFail=1 RFErr=0 RErr=0 RAXFR=3 RLame=860 ROpts=0 SSysQ=813 SAns=16674 SFwdQ=1490 SDupQ=979 SErr=0 RQ=18171 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=53 SFwdR=1697 SFail=0 SFErr=0 SNaAns=12839 SNXD=649 Jan 4 15:49:18 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [193.0.14.129].53 'K.ROOT-SERVERS.NET' Jan 4 15:49:18 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [202.12.27.33].53 'M.ROOT-SERVERS.NET' Jan 4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [198.41.0.10].53 'J.ROOT-SERVERS.NET' Jan 4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [198.32.64.12].53 'L.ROOT-SERVERS.NET' Jan 4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.NET' Jan 4 15:49:20 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.NET' Jan 4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.NET' Jan 4 15:49:22 10550 named[251]: Lame server on 'ns.ecore.net' (in 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.NET' Jan 4 15:51:16 10550 named[251]: Cleaned cache of 49 RRs Jan 4 15:51:16 10550 named[251]: USAGE 946997476 946480873 CPU=5.53u/2.13s CHILDCPU=0u/0s Jan 4 15:51:16 10550 named[251]: NSTATS 946997476 946480873 A=4608 SOA=2376 PTR=10987 MX=85 AXFR=3 ANY=262 Jan 4 15:51:16 10550 named[251]: XSTATS 946997476 946480873 RR=3603 RNXD=223 RFwdR=1724 RDupR=7 RFail=2 RFErr=0 RErr=0 RAXFR=3 RLame=913 ROpts=0 SSysQ=828 SAns=16799 SFwdQ=1515 SDupQ=1031 SErr=0 RQ=18321 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=53 SFwdR=1724 SFail=0 SFErr=0 SNaAns=12941 SNXD=654 +++++++++++++++++ On Jan 2 we have RLame=376, after the "regular" ecore.net "Lame server on" messages on Jan 3 we have RLame=408. Now on Jan 4, very similiar picture, but we jump from 432 to 860 betwen 14:21 and 14:51, and then to 913 at 15:51. And Ideas where the large jump comes from? There's no named restarts or anything named-related logged besides what I put here... Any other ideas what to look for in the logs to get a clue on how the system was hacked? Sadly, it's just plain default syslogging on this machine... regards, felix -- ------------------------------------------------------------ Felix Schüren, fs () one-2-one net, Technik ONE-2-ONE Advertising + Telecommunications GmbH Theodor-Heuss-Str. 92-100, 51149 Koeln, Germany Telefon (01805) 6632-66 Telefax (01805) 6632-33 info () one-2-one net http://www.one-2-one.net Geschaeftsfuehrer:Mike Behrendt,HRB 28495 Koeln
Current thread:
- Re: LJK2 rootkit? Felix Schueren (May 17)
- Re: LJK2 rootkit? Chad Thunberg (May 18)
- <Possible follow-ups>
- Re: LJK2 rootkit? . Hecix (May 19)