# Hacked via distcc?

## kybber

I just noticed a suspicious-looking set of directories in my /var/tmp 

folder. The full set of files and folders is shown at the end of this post.

It seems like someone has tried to install an ftp server on my box.

Since the owner of the files is distcc, I suppose they may have

broken in through i hole in distccd which was running? You'll notice

that the directories called 'stuff' and 'standard/log' were created on 

August 25th at around quarter past 18. At around that time distcc 

happened to be active on a job from an unknown computer 

located in Italy:

```
Aug 25 18:07:52 HOSTNAME distccd[1913]: (dcc_check_client) connection from 62.94.189.98:32911

Aug 25 18:07:52 HOSTNAME distccd[1913]: compile from main.c to main.o

Aug 25 18:07:52 HOSTNAME distccd[1913]: (dcc_r_file_timed) 10 bytes received in 0.027105s, rate 0kB/s

Aug 25 18:07:52 HOSTNAME distccd[1913]: (dcc_collect_child) cc times: user 0.010000s, system 0.000000s, 50 minflt, 490 majflt

Aug 25 18:07:52 HOSTNAME distccd[1913]: sh on localhost completed ok

Aug 25 18:07:52 HOSTNAME distccd[1913]: job complete

Aug 25 18:08:05 HOSTNAME distccd[1970]: (dcc_check_client) connection from 62.94.189.98:32912

Aug 25 18:08:05 HOSTNAME distccd[1970]: compile from main.c to main.o

Aug 25 18:08:05 HOSTNAME distccd[1970]: (dcc_r_file_timed) 10 bytes received in 0.000182s, rate 54kB/s

Aug 25 18:48:43 HOSTNAME distccd[1970]: (dcc_collect_child) cc times: user 0.060000s, system 0.280000s, 1195 minflt, 4885 majflt

Aug 25 18:48:43 HOSTNAME distccd[1970]: sh on localhost completed ok

Aug 25 18:48:43 HOSTNAME distccd[1970]: job complete

```

Does anyone know how this happened? Did they really break in 

via distcc?

Furthermore, how can I make sure my PC is free of the intruders

and prevent this from happening again? 

```
>pwd

/var/tmp

>ls -lR .tmp/

.tmp/:

total 3880

-rw-r--r--   1 distcc daemon 3960072 Apr 30 02:48 ls-lR.gz

drwx------   8 distcc daemon    4096 May 10  2001 standard

drwxr-xr-x  15 distcc daemon    4096 Aug 25 18:17 stuff

.tmp/standard:

total 24

drwx------  4 distcc daemon 4096 Jul 30 00:10 bin

drwx------  4 distcc daemon 4096 Aug 27 00:01 etc

drwx------  2 distcc daemon 4096 May 10  2001 help

drwx------  3 distcc daemon 4096 Aug 25 18:13 log

drwx------  5 distcc daemon 4096 May 10  2001 msg

drwx------  2 distcc daemon 4096 Jul 30 00:10 sbin

.tmp/standard/bin:

total 256

-rwxr-xr-x  1 distcc daemon 13308 Jul 28 15:40 checksum

-rwx------  1 distcc daemon  8961 May 10  2001 dirdupe.pl

-rwx------  1 distcc daemon  3274 May 10  2001 dirundupe.pl

-rwx------  1 distcc daemon  5399 May 10  2001 fillrequest.pl

-rwx------  1 distcc daemon  2941 May 10  2001 force_sfv.pl

-rwxr-xr-x  1 distcc daemon 21466 Jul 28 15:40 glconv

-rwxr-x---  1 distcc daemon 11677 May 11  2001 glconv.pl

drwx------  2 distcc daemon  4096 May 10  2001 grp

-rwx------  1 distcc daemon  2356 May 10  2001 infoline.pl

-rwx------  1 distcc daemon  6495 May 10  2001 lastdirs.pl

-rwx------  1 distcc daemon  5395 May 10  2001 mkdir.pl

-rwxr-xr-x  1 distcc daemon 28842 Jul 30 00:10 msg

-rwx------  1 distcc daemon   165 May 10  2001 msgcheck.sh

-rwx------  1 distcc daemon  6006 May 10  2001 nuke.pl

-rwx------  1 distcc daemon  2625 May 10  2001 oneliner.pl

-rwx------  1 distcc daemon  6352 May 10  2001 pre.pl

-rwx------  1 distcc daemon 39529 May 10  2001 primecheck.pl

-rw-------  1 distcc daemon  7988 May 10  2001 primetools.pm

-rwx------  1 distcc daemon  5336 May 10  2001 request.pl

-rwx------  1 distcc daemon  1145 May 10  2001 rules.sh

-rwx------  1 distcc daemon 13379 May 10  2001 sitebot.pl

-rwx------  1 distcc daemon 11619 May 10  2001 stats.pl

-rwx------  1 distcc daemon   845 May 10  2001 test

drwx------  2 distcc daemon  4096 May 10  2001 usr

.tmp/standard/bin/grp:

total 0

.tmp/standard/bin/usr:

total 0

.tmp/standard/etc:

total 56

-rw-------  1 distcc daemon   54 May 10  2001 cdpath.cfg

-rw-------  1 distcc daemon   81 May 10  2001 check.cfg

-rw-------  1 distcc daemon   77 May 10  2001 checkdirdupe.cfg

-rw-------  1 distcc daemon   16 May 10  2001 checkdupe.cfg

-rw-------  1 distcc daemon  902 May 10  2001 customcmd.cfg

-rw-------  1 distcc daemon   35 May 10  2001 dirshortcut.cfg

-rw-r--r--  1 distcc daemon  802 Aug 20 19:35 ftpd.reg

-rw-------  1 distcc daemon  176 Aug 25 18:18 groups

-rw-------  1 distcc daemon  102 May 10  2001 limits.cfg

-rw-------  1 distcc daemon 2436 May 10  2001 rel_nfo.lst

drwx------  2 distcc daemon 4096 May 10  2001 sections

-rw-------  1 distcc daemon  558 May 10  2001 sections.cfg

drwx------  2 distcc daemon 4096 Aug 27 00:01 stats

-rw-------  1 distcc daemon 1984 Aug 27 00:01 users

.tmp/standard/etc/sections:

total 32

-rw-------  1 distcc daemon 1172 May 10  2001 0day.cfg

-rw-------  1 distcc daemon 1609 May 10  2001 default.cfg

-rw-------  1 distcc daemon 1362 May 10  2001 groups.cfg

-rw-------  1 distcc daemon 1217 May 10  2001 iso.cfg

-rw-------  1 distcc daemon 1195 May 10  2001 mp3.cfg

-rw-------  1 distcc daemon 1156 May 10  2001 private.cfg

-rw-------  1 distcc daemon 1527 May 10  2001 request.cfg

-rw-------  1 distcc daemon 1328 May 10  2001 video.cfg

.tmp/standard/etc/stats:

total 28

-rw-------  1 distcc daemon 488 Aug 27 00:01 0day.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 default.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 groups.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 iso.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 mp3.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 request.stat

-rw-------  1 distcc daemon 488 Aug 27 00:01 video.stat

.tmp/standard/help:

total 356

-rw-------  1 distcc daemon  114 May 10  2001 addgroupop.privileged

-rw-------  1 distcc daemon   86 May 10  2001 addgrp.privileged

-rw-------  1 distcc daemon  122 May 10  2001 addip.privileged

-rw-------  1 distcc daemon   85 May 10  2001 addnuker.privileged

-rw-------  1 distcc daemon  112 May 10  2001 addsiteop.privileged

-rw-------  1 distcc daemon   89 May 10  2001 addunduper.privileged

-rw-------  1 distcc daemon  265 May 10  2001 adduser.privileged

-rw-------  1 distcc daemon  152 May 10  2001 bind.privileged

-rw-------  1 distcc daemon   99 May 10  2001 chgrp.privileged

-rw-------  1 distcc daemon  910 May 10  2001 chmod.privileged

-rw-------  1 distcc daemon  925 May 10  2001 chmodr.privileged

-rw-------  1 distcc daemon  272 May 10  2001 chown.privileged

-rw-------  1 distcc daemon  323 May 10  2001 chownr.privileged

-rw-------  1 distcc daemon  236 May 10  2001 close.privileged

-rw-------  1 distcc daemon   75 May 10  2001 color

-rw-------  1 distcc daemon   68 May 10  2001 count

-rw-------  1 distcc daemon  168 May 10  2001 del.privileged

-rw-------  1 distcc daemon   84 May 10  2001 delgroupop.privileged

-rw-------  1 distcc daemon   89 May 10  2001 delgrp.privileged

-rw-------  1 distcc daemon  146 May 10  2001 delip.privileged

-rw-------  1 distcc daemon   88 May 10  2001 delnuker.privileged

-rw-------  1 distcc daemon   82 May 10  2001 delsiteop.privileged

-rw-------  1 distcc daemon   92 May 10  2001 delunduper.privileged

-rw-------  1 distcc daemon   97 May 10  2001 deluser.privileged

-rw-------  1 distcc daemon   66 May 10  2001 disable.privileged

-rw-------  1 distcc daemon  156 May 10  2001 dump.privileged

-rw-------  1 distcc daemon   64 May 10  2001 enable.privileged

-rw-------  1 distcc daemon   89 May 10  2001 exec.privileged

-rw-------  1 distcc daemon  302 May 10  2001 ff

-rw-------  1 distcc daemon   82 May 10  2001 fillrequest

-rw-------  1 distcc daemon  219 May 10  2001 gadduser

-rw-------  1 distcc daemon  269 May 10  2001 ginfo

-rw-------  1 distcc daemon  227 May 10  2001 give

-rw-------  1 distcc daemon 1304 May 10  2001 group.change.privileged

-rw-------  1 distcc daemon   50 May 10  2001 group.normal

-rw-------  1 distcc daemon  854 May 10  2001 group.privileged

-rw-------  1 distcc daemon  101 May 10  2001 groups.normal

-rw-------  1 distcc daemon  233 May 10  2001 groups.privileged

-rw-------  1 distcc daemon 2872 May 10  2001 help.normal

-rw-------  1 distcc daemon 6624 May 10  2001 help.privileged

-rw-------  1 distcc daemon   75 May 10  2001 idle

-rw-------  1 distcc daemon  261 May 10  2001 info

-rw-------  1 distcc daemon  443 May 10  2001 ipban.privileged

-rw-------  1 distcc daemon  508 May 10  2001 kick.privileged

-rw-------  1 distcc daemon   84 May 10  2001 kill.privileged

-rw-------  1 distcc daemon  114 May 10  2001 lgrp

-rw-------  1 distcc daemon   93 May 10  2001 luser

-rw-------  1 distcc daemon   85 May 10  2001 mod

-rw-------  1 distcc daemon  773 May 10  2001 msg

-rw-------  1 distcc daemon  203 May 10  2001 nuke

-rw-------  1 distcc daemon   70 May 10  2001 open.privileged

-rw-------  1 distcc daemon  208 May 10  2001 passwd

-rw-------  1 distcc daemon   24 May 10  2001 reconfig.privileged

-rw-------  1 distcc daemon  277 May 10  2001 reg.privileged

-rw-------  1 distcc daemon  210 May 10  2001 request

-rw-------  1 distcc daemon  101 May 10  2001 rights

-rw-------  1 distcc daemon   81 May 10  2001 run.privileged

-rw-------  1 distcc daemon  416 May 10  2001 sec.privileged

-rw-------  1 distcc daemon  244 May 10  2001 section.list.privileged

-rw-------  1 distcc daemon  244 May 10  2001 section.normal

-rw-------  1 distcc daemon 1519 May 10  2001 section.privileged

-rw-------  1 distcc daemon  287 May 10  2001 setginfo.privileged

-rw-------  1 distcc daemon  275 May 10  2001 setinfo.privileged

-rw-------  1 distcc daemon  206 May 10  2001 shutdown.privileged

-rw-------  1 distcc daemon   99 May 10  2001 stats

-rw-------  1 distcc daemon   73 May 10  2001 swho.privileged

-rw-------  1 distcc daemon   98 May 10  2001 take.privileged

-rw-------  1 distcc daemon   64 May 10  2001 traffic

-rw-------  1 distcc daemon  108 May 10  2001 undupe

-rw-------  1 distcc daemon  112 May 10  2001 unnuke

-rw-------  1 distcc daemon  377 May 10  2001 user.add.privileged

-rw-------  1 distcc daemon 4767 May 10  2001 user.change.privileged

-rw-------  1 distcc daemon  581 May 10  2001 user.list.privileged

-rw-------  1 distcc daemon  653 May 10  2001 user.normal

-rw-------  1 distcc daemon 2674 May 10  2001 user.privileged

-rw-------  1 distcc daemon  540 May 10  2001 user.reset.privileged

-rw-------  1 distcc daemon  100 May 10  2001 users

-rw-------  1 distcc daemon  377 May 10  2001 usr.add.privileged

-rw-------  1 distcc daemon 4714 May 10  2001 usr.change.privileged

-rw-------  1 distcc daemon  581 May 10  2001 usr.list.privileged

-rw-------  1 distcc daemon  653 May 10  2001 usr.normal

-rw-------  1 distcc daemon 2526 May 10  2001 usr.privileged

-rw-------  1 distcc daemon  540 May 10  2001 usr.reset.privileged

-rw-------  1 distcc daemon   83 May 10  2001 version

-rw-------  1 distcc daemon   69 May 10  2001 w

-rw-------  1 distcc daemon   69 May 10  2001 who

.tmp/standard/log:

total 16

-rw-------  1 distcc daemon    0 Aug 25 18:14 current.log

-rw-------  1 distcc daemon 1199 Aug 25 18:16 directory.log

-rw-------  1 distcc daemon 2481 Aug 25 18:14 ftpd.err

-rw-------  1 distcc daemon    6 Aug 25 18:12 ftpd.pid

-rw-------  1 distcc daemon    0 Aug 25 18:12 ftps.err

-rw-------  1 distcc daemon    0 May 10  2001 request.log

drwx------  2 distcc daemon 4096 Aug 25 18:12 stats

.tmp/standard/log/stats:

total 32

-rw-------  1 distcc daemon 145 Aug 27 18:22 day.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 efault.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 equest.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 global.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 ideo.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 p3.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 roups.txt

-rw-------  1 distcc daemon 145 Aug 27 18:22 so.txt

.tmp/standard/msg:

total 100

-rw-------  1 distcc daemon   39 May 10  2001 chdir

-rw-------  1 distcc daemon  256 May 10  2001 goodbye

drwx------  2 distcc daemon 4096 May 10  2001 grp

drwx------  2 distcc daemon 4096 May 10  2001 irc

-rw-------  1 distcc daemon   45 May 10  2001 list

-rw-------  1 distcc daemon   15 May 10  2001 mkdir

-rw-------  1 distcc daemon   17 May 10  2001 nuke

-rw-------  1 distcc daemon  248 May 10  2001 onel_tail

-rw-------  1 distcc daemon  746 May 10  2001 onel_top

-rw-------  1 distcc daemon  336 May 10  2001 req_tail

-rw-------  1 distcc daemon  738 May 10  2001 req_top

-rw-------  1 distcc daemon   76 May 10  2001 rmdir

-rw-------  1 distcc daemon  110 May 10  2001 rules

-rw-------  1 distcc daemon   41 May 10  2001 startup

-rw-------  1 distcc daemon  328 May 10  2001 stat_tail

-rw-------  1 distcc daemon  496 May 10  2001 stat_top

-rw-------  1 distcc daemon  410 May 10  2001 swho_body

-rw-------  1 distcc daemon  189 May 10  2001 swho_tail

-rw-------  1 distcc daemon  250 May 10  2001 swho_top

-rw-------  1 distcc daemon   17 May 10  2001 unnuke

drwx------  2 distcc daemon 4096 May 10  2001 usr

-rw-------  1 distcc daemon  637 May 10  2001 welcome

-rw-------  1 distcc daemon  343 May 10  2001 who_body

-rw-------  1 distcc daemon  189 May 10  2001 who_tail

-rw-------  1 distcc daemon  250 May 10  2001 who_top

.tmp/standard/msg/grp:

total 0

.tmp/standard/msg/irc:

total 60

-rw-------  1 distcc daemon 160 May 10  2001 complete

-rw-------  1 distcc daemon  82 May 10  2001 completetable_body

-rw-------  1 distcc daemon  75 May 10  2001 completetable_tail

-rw-------  1 distcc daemon 125 May 10  2001 completetable_top

-rw-------  1 distcc daemon 132 May 10  2001 fillrequest

-rw-------  1 distcc daemon  94 May 10  2001 joinrace

-rw-------  1 distcc daemon 102 May 10  2001 newdir

-rw-------  1 distcc daemon 180 May 10  2001 nuke

-rw-------  1 distcc daemon  36 May 10  2001 nukee

-rw-------  1 distcc daemon 129 May 10  2001 pre

-rw-------  1 distcc daemon  89 May 10  2001 race

-rw-------  1 distcc daemon  85 May 10  2001 request

-rw-------  1 distcc daemon 176 May 10  2001 unnuke

-rw-------  1 distcc daemon  36 May 10  2001 unnukee

-rw-------  1 distcc daemon 150 May 10  2001 update

.tmp/standard/msg/usr:

total 0

.tmp/standard/sbin:

total 476

-rwxr-xr-x  1 distcc daemon  22291 Jul 30 00:09 ftpa

-rwxr-xr-x  1 distcc daemon 289063 Jul 30 00:09 ftpd

-rwxr-xr-x  1 distcc daemon 161112 Jul 30 00:10 ftps

.tmp/stuff:

total 52

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_01_+_#+++++++++++++++++++++++++++++++++++++#

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_02_+______Scanned_by_bigm_4_F4A

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_03_+_#++++++++++++++++++++++++++++#

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_04_+______HaXx0red_by_cozinata_4_F4A

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_05_+_#++++++++++++++++++++++++++++#

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_06_+______GameZ

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_07_+______AppZ

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_08_+______MovieZ

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_09_+______MP3Z

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_10_+_#++++++++++++++++++++++++++++#

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_11_+______RespecT_ThE_RuleZ

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_12_+_#++++++++++++++++++++++++++++#

drwx------  2 distcc daemon 4096 Aug 25 18:16 +_13_+_#+++++++++++++++++++++++++++++++++++++#

```

----------

## fleed

Best way: 

1) Backup your data

2) Format and reinstall

3) Restore data

Make sure you restore only data. You should reinstall because you can never be sure of what the evil doers have done on your machine, so it's better to be safe. 

In the future setup iptables so that the only ports available to the outsde world are the ones you really need to be open, eg www, ftp, ssh. Best would be to only allow incoming connections over ssh and then redirect everything using ssh. One other thing, always keep your system up to date. I run emerge -pUDv world almost daily and check out what needs updating and update it if necessary/convenient. You should do this even with kernels.

----------

## hanj

I fully agree with fleed. You must have been showing your distcc port (3632) to the world.. You may want to do an nmap scan from another box to see what ports/services your are exposing. You should determine the extent of the problem before re-formatting/installing again.. as to not to repeat the problem with the new install.

Distcc is being exploited lately.. there is a tool called metasploit (perl based exploit framework) that has this exploit bundled into it...not sure if this was used against you, since they were trying to build an FTP server.. but this is good to look at and understand.

http://www.metasploit.com/projects/Framework/exploits.html#distcc_exec

Here is the link on the specific exploit vulnerability:

http://distcc.samba.org/security.html

hanji

----------

## mmealman

I'm curious, did you have an --allow rule set in your /etc/conf.d/distccd file?

DISTCCD_OPTS="--allow 192.168.1.0/24"

If now, then anyone can run code on your distccd deamon. On the up side, they probably only got user level access to your box.

Edit: Check out https://bugs.gentoo.org/show_bug.cgi?id=64317 for more on this.

----------

## kybber

Thanks for the replies and the links to further information, 

everyone. I really didn't want to hear that I may have to reinstall, 

though  :Sad: 

However, as mmealman says: Shouldn't the intruders be limited

to the distcc-user? So in other words: My system shouldn't otherwise

be compromised, so there's no need to reinstall?

Unfortunately I was not using the --allow option. I upgraded from

2.13-r1 to 2.16 on September 13th, 2-3 weeks after the attack, 

and from the bug-report that setting wasn't included before version

2.14.

Just a wondering: How does /etc/hosts.allow and hosts.deny enter

into all of this? Shouldn't "ALL: ALL" in hosts.deny and 

"distccd: list_of_servers" keep distccd secure, or am I assuming 

too much? If so, will the --allow setting make the laptop secure 

enough? I just feel that setting up a firewall on my laptop is a bit

too, well, Windowsy.  :Embarassed: 

----------

## asiobob

setting a firewall is not windowsy, its a must depending on your enviroment.

There are several IP tables GUI's that can help you firestarter (gtk) and guarddog (qt) are amongest the easiest to use and they configure iptables for you. There's also a two part guide in the tips and tricks forum.

If you are at home and have bunch of pc's then investigate both the --allow and listen options. I suggest listening on your localnetwet ip which closes the distcc port on the internet.

I live at college, we have distcc set up amongest my friends, after noticing this I have decided to not take part in distcc, because

I go on the "never trust anyone", its VERY VERY VERY easy to launch programs commands as the distcc user, I've just exploited myself. my biggest concern assume they were restricted to distcc account is

a) they'll use wget download a large file, and I go into debt with the uni cause I run out of quoate

b) they can if run another exploit within distcc which could escalate to root access, also remember the code that cause kernels less than 2.6.7 hard lock when run... thats my point

----------

## mmealman

Odds are your box wasn't rooted. It could have been if you're running something that has a local root exploit, but most crackers are looking to use your box for bandwidth and HD space, which they can do through a user process. If this was a non-critical machine, personally I'd just close the hole, wipe the crack files and keep an eye on the machine for any odd activity.

I also think the "you must run a firewall" line people throw out is a little over simplified. You weren't hacked because you didn't run a firewall, you were hacked because you were running a server process with a bad configuration. A firewall could've helped and certainly would've blocked the crackers from using your machine as a ftp server, but looking over every service you run and thinking about their security implications is a lot more important.

But firewalling is free and it's an extra level of security, so there's no reason not to use one.

----------

## Dont know anything

Using the -U flag when updating is no good.

Sometimes a package need to be rolled back, and -U will miss those.

If you realy need an unstable package, put them in 

/etc/portage/package.keywords

/etc/portage/package.mask

And so on...

Read the portage manual..

----------

## kybber

What I've done so far: Removed the installed files, shut down distcc (for 

now) and run chkrootkit as well as rkhunter. Hopefully I won't have to 

reinstall, but I'll be keeping a very close watch on the computer for a 

while.

I will look into installing a firewall over the weekend - thanks for the info

about the GUIs and the howto. I will also read up on the function of 

hosts.allow and hosts.deny to see what kind of security they actually 

provide. I had hoped they would act as secure as a firewall, but maybe 

not...

Thanks again for all your input!  :Smile: 

----------

