Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Izak Burger writes Nothing exciting ... If you need excitement come over here. I had a box infected by the DSA-2131 vulnerabilty. It wouldn't resinstall psutils, griping not having permission to cp /bin/ps or somethnig. I copied chattr from another box, nebka, with the same architecture. Then I did chattr -sia /bin/ps ; scp r...@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps for all every binary (here ps) procps did succesively complain it could not install. This solved the issue after a whole bunch of iterations. Cheers, Thomas Krichelhttp://openlib.org/home/krichel http://authorclaim.org/profile/pkr1 skype: thomaskrichel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101218135042.ga11...@openlib.org
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Thomas Krichel wrote: chattr -sia /bin/ps ; scp r...@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps So, in effect, did you possibly give away your root password or pass phrase key for the netbka machine? I wouldn't be that trusting, you already know you were compromised -- best to re-install clean if you ask me. In the Windows world, my advice is the same, no matter how well you clean things, there is always the possibility that something nasty will remain undetected; it isn't worth that risk IMHO. Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0cbddd.2060...@affinityvision.com.au
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Andrew McGlashan writes Thomas Krichel wrote: chattr -sia /bin/ps ; scp r...@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps So, in effect, did you possibly give away your root password or pass phrase key for the netbka machine? Yup. After killing the dropbear process. I wouldn't be that trusting, I wouldn't be either, but what is man to do who is not a security expert to do? you already know you were compromised -- best to re-install clean if you ask me. yeah, but I have no physical access to the infected box and must keep its data. I reinstalled all the packages. psutils was the one that got aptitude stymied. Cheers, Thomas Krichelhttp://openlib.org/home/krichel http://authorclaim.org/profile/pkr1 skype: thomaskrichel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101218140403.ga11...@openlib.org
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Thomas Krichel wrote: Andrew McGlashan writes Thomas Krichel wrote: chattr -sia /bin/ps ; scp r...@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps So, in effect, did you possibly give away your root password or pass phrase key for the netbka machine? Yup. After killing the dropbear process. Perhaps it would have been better to work from from a non-infected machine; do the scp of such files or better still just backup the data. nebka:# scp -p /usr/bin/ps r...@infected-machine:/usr/bin/ps and/or nebka:# scp -pr /saved-data-dir r...@infected-machine:/data-dir rsync might be an option too... Perhaps even use a live-cd or work in a chroot to offer as much protection as possible for the non-infected machine. You've also got to hope that scp or any other programs/binaries you rely on themselves aren't infected on the compromised machine in a way that might cause further issues. I wouldn't be that trusting, I wouldn't be either, but what is man to do who is not a security expert to do? you already know you were compromised -- best to re-install clean if you ask me. yeah, but I have no physical access to the infected box and must keep its data. I reinstalled all the packages. psutils was the one that got aptitude stymied. If you have no physical access, do you have a way to nuke and re-install? Is it VPS or similar? Something I've discovered as a really good feature of HP's iLO is the ability to mount an ISO from a local / trusted source and boot a machine remotely using the virtually mounted CD/DVD -- that gives you a whole new level of access without the need for actual physical access. You can work with a console remotely too in this case. Once it is running, you could install ssh server, set a password and use it in a more traditional way. Of course, it won't help if the machine doesn't have iLO or is a VPS itself -- but there might be similar methods with a VPS. Oh and HP's iLO might need an advanced license for virtual media to work, not sure about that yet. I picked up a nice DL380 G4 with the advanced iLO license already installed. Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0cc44e.7050...@affinityvision.com.au
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Andrew McGlashan wrote: nebka:# scp -pr /saved-data-dir r...@infected-machine:/data-dir Umm, correction scp -pr r...@infected-machine:/data-dir /saved-data-dir Oh and HP's iLO might need an advanced license for virtual media to work, not sure about that yet. I picked up a nice DL380 G4 with the advanced iLO license already installed. Yep, the virtual media is an advanced license feature, just looked up the manuals (PDF search). Sure is handy though. Cheers -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0cc70b.70...@affinityvision.com.au
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Sat, Dec 18, 2010 at 4:25 PM, Andrew McGlashan andrew.mcglas...@affinityvision.com.au wrote: Oh and HP's iLO might need an advanced license for virtual media to work, not sure about that yet. I picked up a nice DL380 G4 with the advanced iLO license already installed. Yup, I've also discovered that one day when we reinstalled a machine and discovered too late that the broadcom network controller needs firmware. Then we discovered you need a license to use the usb-stick image upload trick... which prompts the question: If I already paid for the hardware, why in the blazes cripple it unless I pay you more? But now I'm ranting :-) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik0q-m3nr1v+m9cfbat1nkjsf+cyrjfh=gg_...@mail.gmail.com
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On 17/12/2010 12:00, Thorsten Göllner wrote: Hi, I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver mails. I always get the message, that the mail is not routeable. I only used dpkg-reconfigure exim4-config without touching one config file by hand. I detected a log message (panic log) which says, that there was a too large message. Since that point exim4 stopped working. Have you upgraded the exim package to the last version? http://www.debian.org/security/2010/dsa-2131 -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0b45ad.5070...@securitylabs.it
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On 12/17/2010 12:00 PM, Thorsten Göllner wrote: Hi, I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver mails. I always get the message, that the mail is not routeable. I only used dpkg-reconfigure exim4-config without touching one config file by hand. I detected a log message (panic log) which says, that there was a too large message. Since that point exim4 stopped working. The other point is that pstree reports a process zinit I never saw in the past: (see last line of output) # pstree -A init-+-acpid |-apache2---17*[apache2] |-atd |-cron |-exim4 |-6*[getty] |-inetd |-mysqld_safe-+-logger | `-mysqld---41*[{mysqld}] |-ntpd---ntpd |-portmap |-python |-rpc.statd |-rsyslogd---3*[{rsyslogd}] |-sensord |-smartd |-sshd---sshd---sshd---bash---su---bash---pstree |-udevd `-zinit---{zinit} I found it here: # ls -lah /sbin/zinit -rwxr-x--x 1 root root 1.9M 2008-08-12 16:09 /sbin/zinit But I do not have any idea what it is. And I can not see the process with ps: # ps aux | grep zinit root 5125 0.0 0.0 3120 708 pts/0R+ 12:00 0:00 grep zinit Try first to identify the package the file belongs to: # dpkg -S /sbin/zinit If no package is found then most probably your machine were compromised (using the exim exploit [1] )and you should delete the zinit file immediately and do a detailed audit of your machine security. You can check if zinit is listening in any port # netstat -anp | grep zinit And try to connect to the port with telnet/netcat to see what is happening there. If the file belongs to a package then you can check the integrity of the file with debsums # debsums packagename -- [1] http://seclists.org/fulldisclosure/2010/Dec/222 signature.asc Description: OpenPGP digital signature
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Friday 17 of December 2010, Thorsten Göllner wrote: Hi, I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver mails. I always get the message, that the mail is not routeable. I only used dpkg-reconfigure exim4-config without touching one config file by hand. I detected a log message (panic log) which says, that there was a too large message. Since that point exim4 stopped working. The last exploit of exim4 is based on too large messages causing buffer owerflows that can lead to root privileges. (Sorry for simplification, full details are on exim mailing list). The other point is that pstree reports a process zinit I never saw in the past: snip But I do not have any idea what it is. And I can not see the process with ps: If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. Do I have a security issue here? Any other idea? IMHO yes, you have a security issue. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171235.51130.vladislav.k...@webstep.net
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On 12/17/2010 12:35 PM, Vladislav Kurz wrote: On Friday 17 of December 2010, Thorsten Göllner wrote: Hi, I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver mails. I always get the message, that the mail is not routeable. I only used dpkg-reconfigure exim4-config without touching one config file by hand. I detected a log message (panic log) which says, that there was a too large message. Since that point exim4 stopped working. The last exploit of exim4 is based on too large messages causing buffer owerflows that can lead to root privileges. (Sorry for simplification, full details are on exim mailing list). The other point is that pstree reports a process zinit I never saw in the past: snip But I do not have any idea what it is. And I can not see the process with ps: If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. Good point. Try to check the md5sum of ps: # apt-get install debsums # debsums procps Do I have a security issue here? Any other idea? IMHO yes, you have a security issue. signature.asc Description: OpenPGP digital signature
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote: On 12/17/2010 12:35 PM, Vladislav Kurz wrote: On Friday 17 of December 2010, Thorsten Göllner wrote: Hi, The other point is that pstree reports a process zinit I never saw in the past: snip But I do not have any idea what it is. And I can not see the process with ps: If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. Good point. Try to check the md5sum of ps: # apt-get install debsums # debsums procps just for reference - md5sum of /bin/ps on i386/lenny (checked from freshly downloaded package) a6094706266c8ec3b068cf964824afee /bin/ps -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171317.52933.vladislav.k...@webstep.net
RE: exim4 router problems since 2 days / sucpicous process zinit is pstree
I have a question related to this security announcement and hope it's appropriate to ask here... I just recently installed a couple of machines with Debian 5 using netinstall. They are running Exim which reports as 4.69 in the banner. I have ran aptitude update/upgrade and not seeing anything new for Exim - am I safe to assume I'm up to date and not vulnerable to this security issue? Sorry, just started using Debian - been at least 5 years since I ran it and wanted to make sure Thanks, Paul -Original Message- From: Vladislav Kurz [mailto:vladislav.k...@webstep.net] Sent: December-17-10 6:36 AM To: debian-security@lists.debian.org Subject: Re: exim4 router problems since 2 days / sucpicous process zinit is pstree On Friday 17 of December 2010, Thorsten Göllner wrote: Hi, I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver mails. I always get the message, that the mail is not routeable. I only used dpkg-reconfigure exim4-config without touching one config file by hand. I detected a log message (panic log) which says, that there was a too large message. Since that point exim4 stopped working. The last exploit of exim4 is based on too large messages causing buffer owerflows that can lead to root privileges. (Sorry for simplification, full details are on exim mailing list). The other point is that pstree reports a process zinit I never saw in the past: snip But I do not have any idea what it is. And I can not see the process with ps: If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. Do I have a security issue here? Any other idea? IMHO yes, you have a security issue. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171235.51130.vladislav.k...@webstep.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/002a01cb9de3$00f14520$02d3cf...@org
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Friday 17 of December 2010, Paul Stewart wrote: I have a question related to this security announcement and hope it's appropriate to ask here... I just recently installed a couple of machines with Debian 5 using netinstall. They are running Exim which reports as 4.69 in the banner. I have ran aptitude update/upgrade and not seeing anything new for Exim - am I safe to assume I'm up to date and not vulnerable to this security issue? Sorry, just started using Debian - been at least 5 years since I ran it and wanted to make sure If you have enabled the security updates repository then you should be OK. Check your /etc/apt/sources.list if it contains this line: deb http://security.debian.org/ lenny/updates main contrib non-free And check version of exim4 using dpkg -l exim*. It should be: 4.69-9+lenny1. -- Regards Vladislav Kurz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201012171345.33508.vladislav.k...@webstep.net
RE: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Sex, 17 Dez 2010, Paul Stewart wrote: I have a question related to this security announcement and hope it's appropriate to ask here... This list is for it, but you should have started a new thread instead of hijacking an existing one. I just recently installed a couple of machines with Debian 5 using netinstall. They are running Exim which reports as 4.69 in the banner. I have ran aptitude update/upgrade and not seeing anything new for Exim - am I safe to assume I'm up to date and not vulnerable to this security issue? Sorry, just started using Debian - been at least 5 years since I ran it and wanted to make sure Make sure you are running version 4.69-9+lenny1 (of the package, not the banner). This version has the patch to fix the issue. -- The fact that boys are allowed to exist at all is evidence of a remarkable Christian forbearance among men. -- Ambrose Bierce Eduardo M KALINOWSKI edua...@kalinowski.com.br -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101217104346.44387kgc16pjv...@mail.kalinowski.com.br
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Am 17.12.2010 14:01, schrieb Vladislav Kurz: On Friday 17 of December 2010, you wrote: Am 17.12.2010 13:49, schrieb Vladislav Kurz: On Friday 17 of December 2010, you wrote: Am 17.12.2010 13:17, schrieb Vladislav Kurz: On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote: On 12/17/2010 12:35 PM, Vladislav Kurz wrote: On Friday 17 of December 2010, Thorsten Göllner wrote: Hi, The other point is that pstree reports a process zinit I never saw in the past: snip But I do not have any idea what it is. And I can not see the process with ps: If pstree shows zinit and ps does not, it might mean that you are already rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide the presence of rootkit named zinit. Good point. Try to check the md5sum of ps: # apt-get install debsums # debsums procps just for reference - md5sum of /bin/ps on i386/lenny (checked from freshly downloaded package) a6094706266c8ec3b068cf964824afee /bin/ps Thanks! My package matches. Hmm, that's strange, cause if it's hacked, it shouldn't match. Maybe even md5sum is hacked. Please download procps, and md5sum on some clean computer, get them on the problem machine, preferably on CD or some other non-writable media and run those clean binaries. Or if you can take your server down, reboot from any live-CD and check md5sums again, using md5sum from live-cd. Uh! OK, I now do not have really a chance to access the box (too far away). Coudl you give me this from your box? # shasum /bin/ps 234bba6212ca0cee9718bd74316d7c81e5e0b570 /bin/ps its the same: 234bba6212ca0cee9718bd74316d7c81e5e0b570 /bin/ps h, maybe the rootkit did not modify ps, but some system call that is used by ps. Is it still so that ps ax does not show zinit and pstree does? what about top? I removed /sbin/zinit and did a reboot. The process is gone and I can not find out more about it now, sorry. So my big last ciritical question is Shall I reinstall: - /usr/bin/md5sum seems to be ok - all installed packages are checked via debsums (maybe the local md5-databse has been manipulated? Can I update this database via dpkg?) - zinit is gone - no suspicious listening process can be found. A portscan is fine. - /etc/passwd is ok - Passwords were changed - iptables -L is fine - chkrootkit is fine (running from running system NOT from LiveCD) Hard to say ... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0b627f.4070...@ovm-group.com
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
So my big last ciritical question is Shall I reinstall: Why not reinstall? What if something is hiding that you forgot to check? What if your binaries are modified in a way that it's making it hard for you to guarantee they aren't modified? No question, reinstall. Mike
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
No question, reinstall. I agree, this is a root exploit, and once you have root you can pretty much hide anything you want. On a side note, the patch even applies cleanly on older versions of exim (such as 4.63), so if you're stuck with an older exim for whatever reason (like I am), its easy enough to patch. Cheers, Izak -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik182-ixdk44nzm083z+ha2cdjpbcdx7rowh...@mail.gmail.com
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
Am 17.12.2010 14:26, schrieb Izak Burger: No question, reinstall. I agree, this is a root exploit, and once you have root you can pretty much hide anything you want. On a side note, the patch even applies cleanly on older versions of exim (such as 4.63), so if you're stuck with an older exim for whatever reason (like I am), its easy enough to patch. Cheers, Izak Your are (both) right. I will reinstall. Thank you all for your help! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d0b692b.2000...@ovm-group.com
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
I agree, this is a root exploit, and once you have root you can pretty much hide anything you want. No question, reinstall. Depending on your scope, http://www.cert.org/tech_tips/win-UNIX-system_compromise.html still has some value. It sounds as though you'll probably be fine with a reinstall (nuke from orbit, of trusted media). If you use anything from backups, be cautious of any content after any trusted time. Eg, when you know it wasn't an issue, not just think it wasn't an issue. You don't want to introduce a weakness the attacker left some place else (like a database password, misc settings, etc). Good luck :) Scott. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik7+ihfwvfg1vmqfv2q+kbkiw+hgtnfmptvv...@mail.gmail.com
Re: exim4 router problems since 2 days / sucpicous process zinit is pstree
On Fri, Dec 17, 2010 at 3:44 PM, Thorsten Göllner t...@ovm-group.com wrote: Your are (both) right. I will reinstall. What would be really nice though, is if you could do some kind of post-mortem. I am always curious to know the techniques of the black-hats, makes for nice war-stories around the camp fire :-) Unfortunately the incidents I know are rather simple: Weak password that led to someone installing an irc bouncer, which he renamed to bash so that it would not look out of place in a process listing, and a bug in a php-based webhosting package that allowed some turkish hackers to deface a bunch of websites. Nothing exciting ... -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinc3tak5xfaha+yhynv0b9-eyai=fhvpfvd6...@mail.gmail.com