# gentoo box hacked / aMule exploit?

## MaxMara

Hi!

I am running a gentoo workstation at work. 

Yesterday I startet aMule when I left my work. Today in the morning I wanted to log in and the box doesn't accent any accountpassword from me.

I restarted the box, booted with the gentoo-cd, mounted the harddisc and discovered following:

eth0 has an ip-adress 192.168.0.2....i used dhcp.

last change from /etc/passwd was yesterday evening.

all my users are deleted and there are some new users: qmaild, qmaill, qmailp, ... qmails, smmsp, postgres, nut, cyrus, vpopmail, alias.

I think that aMule has a BIG exploit, because my box was really secure (SSH only allowed from 10.0.60.XX,up to date system,...)

Does anyone of you know what the hacker was doing with my box? Or how can I see that?

btw: our 2mb line had 100% utilization this night  :Sad: (

thanks for your answers

christian

----------

## MaxMara

nobody??

makes me sad   :Crying or Very sad: 

----------

## zigx

 *Quote:*   

> aMule stand for all-platform eMule file-sharing program, it is also affiliated with the eMule project and forked from xMule on 08/2003. It connects to eDonkey2000 network, supports Linux, Solaris, *BSD platforms, Mac, near every processor arch (32/64bits)
> 
> 

 

If i were u i would start searching out xMule problems -- could help?

im just a n00b so thats all the input i have but if u find out anything else please post.

good luck!

----------

## amne

You didn't by chance run etc-update and overwrote your configuration files?

PS: Please don't bump your threads that fast even if the problem is important to you.

----------

## nightblade

I know that some critical vulnerabilities were found on eMule, with a remote buffer overflow leading to remote code execution being the latest (Bugtraq ID 10039), but I really don't know how much they can be applied  to aMule, as I really have no idea of how much code they have in common.

In any case, if you are sure that the box has been hacked, don't touch anything on the disks, as they are the evidence of the crime (even the swap space can provide precious information) and are a fundamental part if you want to start a forensic analysis.

Better off starting to investigate what happened delving into the other machines (firewall logs, IDSs, ...) and, of course, report the fact to your local police department.

----------

## njs12345

It would look like the hacker was using it as a spam-box.. qmail is an MTA.

----------

## barbar

You can check which services are running with

```
netstat -ta
```

When you have services that you did not enable you are very likely compromised.

----------

## Xaignar

You weren't running aMule as root, where you? Cause if it was through aMule that the attacker gained access, then either you have a holed kernel or some other insecure setting that the attacker could use to escalate his privileges. =/

As for the bugtraq bug, that was an IRC exploit specific to the IRC client in eMule, and you wont ever see us adding an IRC client to aMule.  :Wink: 

----------

## MaxMara

 *Xaignar wrote:*   

> You weren't running aMule as root, where you? Cause if it was through aMule that the attacker gained access, then either you have a holed kernel or some other insecure setting that the attacker could use to escalate his privileges. =/
> 
> As for the bugtraq bug, that was an IRC exploit specific to the IRC client in eMule, and you wont ever see us adding an IRC client to aMule. 

 

Yes. I was logged in as root   :Embarassed: 

I just read the thread about smoking and logged in to kde as root   :Rolling Eyes: 

Is it possible to turn the IRC client in eMule off?

----------

## dark_priest

looks like they were turning you into a spam machine ? (with the mail stuff added)

----------

## m.b.j.

Just a tipp, do not spend time to rescue your system take a compleatly reinstalltion, a firiend of mine (he is much more experienced than me) has spend two wecks to clean his system, but the attacer has placed too much backdoors, ( keyloggers, ... )!

in my mine it is time wasting to clean a cracked system!

----------

## zeky

Check all your logs for any possible info of the attacker.

Run 

```
netstat -antpu

```

 to check if there ae any strange port listening

----------

## MaxMara

So ...I installed a new box. But I'll never more install aMule on it  :Smile: 

Thanks for your comments  :Smile: 

----------

## nightblade

 *zeky wrote:*   

> 
> 
> Run 
> 
> ```
> ...

 

That actually might not tell much: most rootkits hide their activity from netstat and process queries.

----------

## zeky

 *nightblade wrote:*   

>  *zeky wrote:*   
> 
> Run 
> 
> ```
> ...

 

true, true... but you never know who are you dealing with... It's worth a look tho'  :Wink: 

----------

## nightblade

 *zeky wrote:*   

> 
> 
> true, true... but you never know who are you dealing with... It's worth a look tho' 

 

Oh, it definitely is.

I was not in any way saying that yours was a bad idea  :Smile: ... just that you might want to fire off a rootkit hunter too, after netstat/ps  :Smile: 

----------

## MaxMara

 *nightblade wrote:*   

> Oh, it definitely is.
> 
> I was not in any way saying that yours was a bad idea ... just that you might want to fire off a rootkit hunter too, after netstat/ps 

 

Do you know how much you / we can rely on chkrootkit? Is it not really simple to replace the tool?

----------

## nightblade

 *MaxMara wrote:*   

> 
> 
> Do you know how much you / we can rely on chkrootkit? 

 

Chkrootkit will only tell you that there is a rootkit, if it finds one, but not that there are no rootkits if it does not find any (an 'undecidible problem', computer theorists would say).

It's a tool designed to try to help you to figure out whether you have been hacked, and what the attacker did, but it's definitely not a tool to ultimately assess the 'healthiness' of a hacked box. So, you might want to use it to see if there is a rootkit on your pc, but even in case of a negative answer, it's much better to do a clean reinstall, as somebody already pointed out.

----------

## zeky

 *MaxMara wrote:*   

>  *nightblade wrote:*   Oh, it definitely is.
> 
> I was not in any way saying that yours was a bad idea ... just that you might want to fire off a rootkit hunter too, after netstat/ps  
> 
> Do you know how much you / we can rely on chkrootkit? Is it not really simple to replace the tool?

 

*good* rootkits are made so clever, that rootkit-finding-tool wan't even found it/them  :Wink:  But it can't harm if you check with it anyway  :Smile: 

----------

## Xaignar

Btw. Which version of aMule were you running?

----------

## MaxMara

 *Xaignar wrote:*   

> Btw. Which version of aMule were you running?

 

good question   :Very Happy: 

I emerged it on the 31st august and i 'emerge sync'ed before that.

----------

## Xaignar

It would be great if you could find out exactly what version you where running. But if you are running a stable system, then most likely it's 1.2.8.

----------

## zeky

 *MaxMara wrote:*   

>  *Xaignar wrote:*   Btw. Which version of aMule were you running? 
> 
> good question  
> 
> I emerged it on the 31st august and i 'emerge sync'ed before that.

 

Do:

```
emerge -p amule
```

And tell us the amule version  :Wink: 

----------

## MaxMara

Sorry. Too late for that.

Read my posting from  8:43 am   :Smile: 

But I think that it might be the last version. As written before: I emerged it on the 31st august. I think it might be possible to investigate which version of aMule that has been...

And 'yes' Xaignar, I'm running a stable system (2.4 kernel if that matters..)

----------

## Unleashed

 *MaxMara wrote:*   

> 
> 
> Yesterday I startet aMule when I left my work. Today in the morning I wanted to log in and the box doesn't accent any accountpassword from me.
> 
> 

 

I don't know how someone is supposed to hack a box and blatantly make it obvious it's been owned. That's very stupid.

 *MaxMara wrote:*   

> 
> 
> I think that aMule has a BIG exploit, because my box was really secure (SSH only allowed from 10.0.60.XX,up to date system,...)
> 
> 

 

First of all, running things as root is like sticking a big fat note in your house's door asking people to break in. And you should know by heart what services and other potentially insecure programs was your box running, and i am certainly sure it doesn't cut down to aMule and SSH.

If you really wanted to know what was the cause of it, your should have provided us with detailed information about your system and network environment, and possibly learn something about forensics. Had you done so, people could at least help you much better.

It's not that it could'nt be aMule, but you don't know it and eliminated the possibility of any further investigation, and with such a lack of information, it looks pretty much awesome to me that you made such a BIG claim about aMule.

----------

## malloc

You could try mldonkey, it's lighter than amule, and it allows itself to be ran in a chrooted environment. Also you should run an IDS like snort if that's an important box.

----------

## indanet

 *malloc wrote:*   

> You could try mldonkey, it's lighter than amule, and it allows itself to be ran in a chrooted environment.

 

Yes, I totally agree. See https://forums.gentoo.org/viewtopic.php?t=190707 -- worked great for me.

----------

