Security Incidents mailing list archives
Re: hpd, afb, sc, and sn
From: deadcalm () treshna com
Date: Mon, 23 Dec 2002 03:49:33 +0000
Congratulations Gordon, it looks like you've found a new (unpublished) rootkit. A rootkit is what a hacker uses to hide & often includes backdoors for later access. As this is binary-layer (as opposed to library or kernel) rootkit, and the rootkit is 'unknown' the skill of your attacker is beginner to intermediate. How your attacker gained access cannot be determined by the rootkit deployed, except under circumstances when it is an identifiable rootkit used exclusively with a worm or auto-rooter. The best thing you can do when you've been hacked is to power-off the server without touching the keyboard or logging in. The reason for this is to preserve evidence where possible. It is best to then 'dd' (use 'man dd' for more info) to copy the harddisk images and then examine them offline. If however you are able to login to the server without adjusting wtmp or utmp (i.e. you overflow to get a shell) then you are in a 'better' position to recover the memory contents (which you would lose had you simply powered down the server). The leading opensource software to deal with intrusions like this are The Coroners Toolkit (http://www.fish.com/tct/). Atstake have produced two opensource software packages to be used with TCT, they are: 1] The @stake Sleuth Kit (TASK) (http://www.atstake.com/research/tools/task) 2] The Autopsy Forensic Browser (http://www.atstake.com/research/tools/autopsy/). The ChkRootkit project will detect 'known' rootkits (http://www.chkrootkit.org/)
According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ...
ps & top were modified to hide processes, netstat to hide network connections, and ifconfig to hide PROMISC mode. At least this is true for most rootkits. Could you please send the modified binaries to the list, and if possible make disk images of the hacked server available, ala the honeypot project. On 20 Dec 2002 14:11:31 -0700 Gordon Chamberlin <glac () visualize com> wrote:
I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked? The files: /usr/bin/hpd /usr/bin/afb /usr/bin/sn The following line is in /etc/rc.local: /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null The contents of hpd are: #!/bin/sh /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null namp reports the following ports open: Port State Service 5/tcp open rje 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 443/tcp open https 808/tcp open unknown 1024/tcp open kdm 3306/tcp open mysql 7000/tcp open afs3-fileserver 8009/tcp open ajp13 According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ... I copied a good version of ps in and found the two afb processes running. Anyone know about this hack, what afb does and/or how they usually get in? Embarrassedly, -Gordon -- Gordon Chamberlin Software Architect Visualize, Inc. http://www.visualize.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)