Hi Chris: im almost sure that your server has been compromised again... The output you see from the ps command comes from a fake "ps" binary, which belongs to a rootkit, i dont remember the name right now. It is sad too say that cobalt people dont care much about security, and that their patches are a litlle out of date. I had the same incident that you on my cobalt raq 3, but i luckily found the cause of the incident and manage to solve it (after cobalt sipport just gave me a OS reload as the only solution). I�d like the oportunity to call all cobalt users to push cobalt to release services updates, because sendmail and bind services are VERY vulnerables, despite the cobalt patches... Thats just and example. ----- Original Message ----- From: "Chris Moreton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 11, 2001 7:50 PM Subject: [cobalt-security] Unusual ps command output
> Hi, > > I periodically send myself a file from my RaQ4 built up of output from the > "ps -efw" command built up througout the day. Normally, I get output in the > form > > UID PID PPID C STIME TTY TIME CMD > root 1 0 0 Nov08 ? 00:00:04 init > root 2 1 0 Nov08 ? 00:00:15 [kflushd] > root 3 1 0 Nov08 ? 00:00:18 [kupdate] > root 4 1 0 Nov08 ? 00:00:00 [kpiod] > > etcetera... > > But today I got the output below. What strikes me is that the headings are > different and the appearance of the name "r00t". My server has been > compromised twice recently, and on each occasion I have noticed that the "ps > -ef" command has produced minimal output like below and that in order to get > what I expect I need to do "ps -aux". > > On both these occasions I rebuilt the server and applied all the security > patches from cobalt. Also, being very paranoid, I turned off all the FTP, > DNS and Email services and my ISP closed all unnessecary ports following the > rebuild. > > Does anyone know how to explain this? > > PID TTY STAT TIME COMMAND > 11301 p0 S 0:00 -sh HOME=/root USER=root LOGNAME=root > PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root > SHELL=/bin/sh SSH_CLIENT=1 > 23216 p0 S 0:00 \_ sh ./r00t 194 105 LESSOPEN=|/usr/bin/lesspipe.sh %s > HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0 > MAIL=/v > 23230 p0 R 10:01 \_ ./scan 194 53 105 LESSOPEN=|/usr/bin/lesspipe.sh > %s HISTSIZE=1000 HOSTNAME=www.changed.com LOGNAME=root SSH_TTY=/dev/ttyp0 > MAI > 30013 p1 S 0:00 -sh HOME=/root USER=root LOGNAME=root > PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/bin MAIL=/var/spool/mail/root > SHELL=/bin/sh SSH_CLIENT=2 > > Thanks, > Chris > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
