Machine compromised

[Jan van Rensburg <jan.van.rensburg () epiuse com>]

Hi,
One of our servers that's literally on the other side of the globe has been
compromised on Saturday, 5 Jan. I'm not sure how the person got in, but it
has to be either exim (early 2.x version), University of Washington IMAP/POP
v 1.5.1 or Apache 1.3.9. It could also be that it was through ssh-1.2.26,
although this is supposed to be firewall filtered, so I doubt it. The base
machine is RedHat-5.2, but a lot has been changed since the original install
about 3 years ago. 

The rootkits installed appear to be similair to
http://openbsd.org.br/ouah/compromisenov25.htm. A version of the tr0n v8
rootkit also seems to be on the machine but not used. 

I'm cleaning up as best as I can until we can ship a new disk to be
installed. It looks overall the attempt was unsucessful. The
/etc/rc.d/init.d/network script has been replaced and among the suspicious
lines are: 

        /usr/bin/ssh2d -q
        cd /usr/src/.lib;./lpsched

lpsched is a program to capture usernames/passwords on the network. It was
running when I found the machine but I killed the procs. I found a core file
of /usr/bin/ssh2d under /etc/rc.d/init.d, so obviously that did not work too
well. But the network didn't start up at all, because the replaced network
file assumes RedHat-7.0 or later. 

But now for the question. I can't seem to do anything to /usr/bin/ssh2d and
/etc/rc.d/init.d/network. I can't remove, move, changes permissions on it in
any way. 

# stat /usr/bin/ssh2d /etc/rc.d/init.d/network
  File: "/usr/bin/ssh2d"
  Size: 205288       Filetype: Regular File
  Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
root)
Device:  8,0   Inode: 4119      Links: 1
Access: Wed Jan  9 18:09:19 2002(00000.00:54:46)
Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)

  File: "/etc/rc.d/init.d/network"
  Size: 5140         Filetype: Regular File
  Mode: (0755/-rwxr-xr-x)         Uid: (    0/    root)  Gid: (    0/
root)
Device:  8,0   Inode: 121925    Links: 1
Access: Wed Jan  9 18:58:44 2002(00000.00:05:21)
Modify: Sat Jan  5 14:43:32 2002(00004.04:20:33)
Change: Sat Jan  5 14:43:34 2002(00004.04:20:31)

But, for example: 
# mv ssh2d ssh2d_foo
mv: cannot move `ssh2d' to `ssh2d_foo': Operation not permitted

As far a I can see lsmod has not been trojaned, and it doesn't look like
there's any suspicious kernel modules loaded. So why do I get 'Operation not
permitted' when I try to do anything to the files?

Thank you,
Jan van Rensburg

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com