Re: LJK2 rootkit?

[chadth () OBFUSTECH COM (Chad Thunberg)]

The "^" in your logs suggests they have been edited.  Since your box has
been comprimised, your logs should be considered worthless.  Look into
running a remote syslogd box that does nothing but do logging for all your
"public" servers.

-Chad

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Felix Schueren
> Sent: Wednesday, May 17, 2000 10:46 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: LJK2 rootkit?
>
>
> First off, thanks for the replies so far. I've analyzed the logs
> a bit, and
> while I suspected being hacked through a bind exploit (the machine was
> running BIND 8.1.2), I found nothing to prove that:
>
>
> May 11 18:20:53 10550 named[19306]: starting.  named 8.1.2 Thu Sep 24
> 02:47:08 EDT 1998 ^Iroot () porky redhat com:/usr/src/bs/BUILD/src/bin/named
> May 11 18:22:40 10550 named[19421]: starting.  named 8.2 Wed Mar
> 31 10:57:12
> EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named
>
> May 14 19:10:30 10550 named[1918]: starting.  named 8.2 Wed Mar
> 31 10:57:12
> EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named
> May 14 19:10:32 10550 named[1922]: starting.  named 8.2 Wed Mar
> 31 10:57:12
> EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named
> May 14 19:10:35 10550 named[1926]: starting.  named 8.2 Wed Mar
> 31 10:57:12
> EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named
> May 14 19:10:42 10550 named[1956]: starting.  named 8.2 Wed Mar
> 31 10:57:12
> EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2/src/bin/named
> May 14 20:49:39 10550 named[5266]: starting.  named 8.2.2-P3 Thu Nov 11
> 00:04:50 EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.2_P3/
> src/bin/named
> May 14 20:49:52 10550 named[5307]: starting.  named 8.2.2-P3 Thu Nov 11
> 00:04:50 EST
> 1999^Iroot () porky devel redhat com:/usr/src/bs/BUILD/bind-8.2.2_P3/
> src/bin/named
>
>
> On May 11th, BIND 8.2 (RedHat: bind-8.2-6.i386.rpm) was installed, then on
> May 14th BIND 8.2.2-P3. I've checked with my colleagues, and it
> appears both
> of those installs (and the corresponding odd numbers of named
> restarts) were
> caused by them.
> How vulnerable would BIND 8.2 have been, and how likely is it that the
> intruder got in before May 11th (the first BIND update)? Here's an
> oddity from the older logs:
>
> ++++++++++++++++++
> Jan  2 04:21:14 10550 named[251]: Cleaned cache of 9 RRs
> Jan  2 04:21:14 10550 named[251]: USAGE 946783274 946480873
> CPU=3.06u/1.11s
> CHILDCPU=0u/0s
> Jan  2 04:21:14 10550 named[251]: NSTATS 946783274 946480873
> A=2903 SOA=1386
> PTR=6168 MX=55 AXFR=1 ANY=140
> Jan  2 04:21:14 10550 named[251]: XSTATS 946783274 946480873 RR=1900
> RNXD=128 RFwdR=967 RDupR=3 RFail=1 RFErr=0 RErr=0 RAXFR=1
> RLame=376 ROpts=0
> SSysQ=466 SAns=9788 SFwdQ=843 SDupQ=430 SErr=0 RQ=10653 RIQ=0
> RFwdQ=0 RDupQ=0
> RTCP=51 SFwdR=967 SFail=0 SFErr=0 SNaAns=7393 SNXD=350
>
> Jan  3 16:41:28 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.net'
> Jan  3 16:41:28 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.net'
> Jan  3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.net'
> Jan  3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.net'
> Jan  3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.net'
> Jan  3 16:41:29 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.net'
> Jan  3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.net'
> Jan  3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [207.159.77.18].53 'F.GTLD-SERVERS.net'
> Jan  3 16:41:30 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.net'
> Jan  3 16:41:31 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.net'
> Jan  3 16:41:31 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [195.8.99.11].53 'K.GTLD-SERVERS.net'
> Jan  3 16:41:32 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [198.41.0.21].53 'J.GTLD-SERVERS.net'
>
> Jan  3 16:51:15 10550 named[251]: Cleaned cache of 9 RRs
> Jan  3 16:51:15 10550 named[251]: USAGE 946914675 946480873
> CPU=4.48u/1.59s
> CHILDCPU=0u/0s
> Jan  3 16:51:15 10550 named[251]: NSTATS 946914675 946480873
> A=3980 SOA=2010
> PTR=9043 MX=70 AXFR=3 ANY=209
> Jan  3 16:51:15 10550 named[251]: XSTATS 946914675 946480873 RR=2616
> RNXD=174 RFwdR=1405 RDupR=5 RFail=1 RFErr=0 RErr=0 RAXFR=3
> RLame=408 ROpts=0
> SSysQ=665 SAns=14070 SFwdQ=1234 SDupQ=497 SErr=0 RQ=15315 RIQ=0
> RFwdQ=0 RDupQ=0
> RTCP=53 SFwdR=1405 SFail=0 SFErr=0 SNaAns=10733 SNXD=564
>
> Jan  4 14:21:16 10550 named[251]: Cleaned cache of 16 RRs
> Jan  4 14:21:16 10550 named[251]: USAGE 946992076 946480873
> CPU=5.31u/2.09s
> CHIL
> DCPU=0u/0s
> Jan  4 14:21:16 10550 named[251]: NSTATS 946992076 946480873
> A=4561 SOA=2350
> PTR=10843 MX=84 AXFR=3 ANY=249
> Jan  4 14:21:16 10550 named[251]: XSTATS 946992076 946480873 RR=3057
> RNXD=217 RFwdR=1688 RDupR=7 RFail=1 RFErr=0 RErr=0 RAXFR=3
> RLame=432 ROpts=0
> SSysQ=775 SAns=16612 SFwdQ=1471 SDupQ=553 SErr=0 RQ=18090 RIQ=0 RFwdQ=0
> RDupQ=0 RTCP=53 SFwdR=1688 SFail=0 SFErr=0 SNaAns=12795 SNXD=647
>
> Jan  4 14:44:06 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.net'
> Jan  4 14:44:06 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.net'
> Jan  4 14:44:06 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.net'
> Jan  4 14:44:07 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.net'
> Jan  4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [207.159.77.18].53 'F.GTLD-SERVERS.net'
> Jan  4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [198.41.0.21].53 'J.GTLD-SERVERS.net'
> Jan  4 14:44:08 10550 named[251]: Lame server on 'ns.ba.ecore.net' (in
> 'ecore.net'?): [195.8.99.11].53 'K.GTLD-SERVERS.net'
>
> Jan  4 14:51:16 10550 named[251]: Cleaned cache of 49 RRs
> Jan  4 14:51:16 10550 named[251]: USAGE 946993876 946480873
> CPU=5.46u/2.11s
> CHILDCPU=0u/0s
> Jan  4 14:51:16 10550 named[251]: NSTATS 946993876 946480873
> A=4576 SOA=2365
> PTR=10891 MX=84 AXFR=3 ANY=252
> Jan  4 14:51:16 10550 named[251]: XSTATS 946993876 946480873 RR=3507
> RNXD=217 RFwdR=1697 RDupR=7 RFail=1 RFErr=0 RErr=0 RAXFR=3
> RLame=860 ROpts=0
> SSysQ=813 SAns=16674 SFwdQ=1490 SDupQ=979 SErr=0 RQ=18171 RIQ=0 RFwdQ=0
> RDupQ=0 RTCP=53 SFwdR=1697 SFail=0 SFErr=0 SNaAns=12839 SNXD=649
>
> Jan  4 15:49:18 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [193.0.14.129].53 'K.ROOT-SERVERS.NET'
> Jan  4 15:49:18 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [202.12.27.33].53 'M.ROOT-SERVERS.NET'
> Jan  4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [198.41.0.10].53 'J.ROOT-SERVERS.NET'
> Jan  4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [198.32.64.12].53 'L.ROOT-SERVERS.NET'
> Jan  4 15:49:19 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [128.8.10.90].53 'D.ROOT-SERVERS.NET'
> Jan  4 15:49:20 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.112.36.4].53 'G.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.33.4.12].53 'C.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.5.5.241].53 'F.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [128.9.0.107].53 'B.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.36.148.17].53 'I.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [192.203.230.10].53 'E.ROOT-SERVERS.NET'
> Jan  4 15:49:21 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [198.41.0.4].53 'A.ROOT-SERVERS.NET'
> Jan  4 15:49:22 10550 named[251]: Lame server on 'ns.ecore.net' (in
> 'ecore.net'?): [128.63.2.53].53 'H.ROOT-SERVERS.NET'
>
> Jan  4 15:51:16 10550 named[251]: Cleaned cache of 49 RRs
> Jan  4 15:51:16 10550 named[251]: USAGE 946997476 946480873
> CPU=5.53u/2.13s
> CHILDCPU=0u/0s
> Jan  4 15:51:16 10550 named[251]: NSTATS 946997476 946480873
> A=4608 SOA=2376
> PTR=10987 MX=85 AXFR=3 ANY=262
> Jan  4 15:51:16 10550 named[251]: XSTATS 946997476 946480873 RR=3603
> RNXD=223 RFwdR=1724 RDupR=7 RFail=2 RFErr=0 RErr=0 RAXFR=3
> RLame=913 ROpts=0
> SSysQ=828 SAns=16799 SFwdQ=1515 SDupQ=1031 SErr=0 RQ=18321 RIQ=0 RFwdQ=0
> RDupQ=0 RTCP=53 SFwdR=1724 SFail=0 SFErr=0 SNaAns=12941 SNXD=654
>
>
> +++++++++++++++++
> On Jan 2 we have RLame=376, after the "regular" ecore.net "Lame server on"
> messages on Jan 3 we have RLame=408. Now on Jan 4, very similiar picture,
> but we jump from 432 to 860 betwen 14:21 and 14:51, and then to 913 at
> 15:51. And Ideas where the large jump comes from? There's no
> named restarts
> or anything named-related logged besides what I put here...
>
>
> Any other ideas what to look for in the logs to get a clue on how
> the system
> was hacked? Sadly, it's just plain default syslogging on this machine...
>
> regards,
>
> felix
>
> --
> ------------------------------------------------------------
> Felix Schüren, fs () one-2-one net, Technik
>
> ONE-2-ONE Advertising + Telecommunications GmbH
> Theodor-Heuss-Str. 92-100, 51149 Koeln, Germany
> Telefon (01805) 6632-66 Telefax (01805) 6632-33
> info () one-2-one net     http://www.one-2-one.net
> Geschaeftsfuehrer:Mike Behrendt,HRB 28495 Koeln