Re: hacked: can't delete files
You probably already got this one solved but if not, you'll need to download on another computer one of the linux rescue disks and boot the machine up with that disk. It will have a clean copy of chown and chmod and rm on it the hacker never damaged. What has happened is the hacker replaced your original debian utilities with cracking versions. Those cracking versions of the utilities protect what they're supposed to so far as the cracker is concerned but that's only until you bring the real originals to bear. You might also use an original debian CD and boot into rescue mode then do the work but be sure you specify /dev/hdc/ as a prefix to everyone of your utility commands. Don't rely on that e-mail address even existing on hotmail.com either. Your best bet right now is to copy any work on that computer you created off to other media and wipe the machine and do a complete reinstall but this time apt-get bastille and apt-get tripwire not to mention clamav as part of the install process. All of those packages need to be deployed and operating before you go out onto the net again. With the net-inst installation, you takes your chances. On Fri, 26 Aug 2005, Jason Edson wrote: On 8/26/05, Andreas Hatz [EMAIL PROTECTED] wrote: Hello, I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem: It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the root home directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this: chkrootkit has given the following: Searching for suspicious files and dirs, it may take a while... /usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config Now the following: ns:~# cd /usr/lib/libsh ns:/usr/lib/libsh# ls -al total 44 drwxr-xr-x 6 root root 4096 Aug 21 08:38 . drwxr-xr-x 38 root root 12288 Aug 22 20:38 .. drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup -rw--- 1 root root 365 Aug 21 08:37 .bash_history -rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrc drwxr-xr-x 2 root root 4096 Aug 22 19:24 .owned drwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff -rwxr-xr-x 1 root root 2039 Aug 22 20:28 hide drwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz Also: ns:/usr/lib/libsh# lsattr * -- hide ns:/usr/lib/libsh# lsattr .b* -- .bash_history -- .bashrc ns:/usr/lib/libsh# lsattr . -- ./utilz -- ./hide Now try to delete: ns:/usr/lib/libsh# rm -rf * rm: cannot unlink `hide': Permission denied rm: cannot remove directory `utilz': Permission denied ns:/usr/lib/libsh# ls -al total 44 drwxr-xr-x 6 root root 4096 Aug 21 08:38 . drwxr-xr-x 38 root root 12288 Aug 22 20:38 .. drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup -rw--- 1 root root 365 Aug 21 08:37 .bash_history -rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrc drwxr-xr-x 2 root root 4096 Aug 22 19:24 .owned drwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff -rwxr-xr-x 1 root root 2039 Aug 22 20:28 hide drwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes invisible. ie you don't see it with ls, but you can change to it with cd. Make sense? I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this. Anybody like to have a go? Best regards, Andreas Didnt you post this like a week ago and get answers? Just curious if my mail reader is acting up. Jason Edson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hacked: can't delete files
On Fri, Aug 26, 2005 at 04:08:22PM -0700, Jason Edson wrote: Didnt you post this like a week ago and get answers? Just curious if my mail reader is acting up. Indeed I see the message and quite a few replies on Tue, 23 Aug 2005 14:06:24 +1200. -- Jon Dowland http://jon.dowland.name/ FD35 0B0A C6DD 5D91 DB7A 83D1 168B 4E71 7032 F238 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: hacked: can't delete files
On Tuesday 23 August 2005 12:57, Alvin Oga wrote: personally... i think any hacked machine should be looked over carefully to be able to answer the following: - who broke in - how did they get in - why did they break in ( sometimes there's no answer ) - where they came from - obvious thing is to look at log files, but smart crackers will wipe out or clean the /var/log before they leave I do agree with your attitude on this. Unfortunately I do not see any chance of getting any kind of conviction on this sort of thing if it originates from another country. In this case the attacker is from Brazil (best guess, based on litter left by the cracker). We are based in Australia ans New Zealand. What are the chances of getting the brazilian police to do anything. As for the clean up, I discovered a script among this guy's litter which was a clean-up script to delete his log entries. I managed to alter this script slightly to do the opposite next time he tries it. I do not think there will be a next time for this guy though. He was only interested in a spam relay for a while. These guys are typically just script kiddies that try to make some bucks sending spam from otherpeoples machines. Cheers, Andreas
Re: Re: hacked: can't delete files
Jason Edson wrote: Didnt you post this like a week ago and get answers? Just curious if my mail reader is acting up. Sorry, I reposted after an initial search of the debian-user archive came up blank. Looks like it went through twice now. OOPs. Regards, Andreas
Re: hacked: can't delete files
On 8/26/05, Andreas Hatz [EMAIL PROTECTED] wrote: Hello, I have posted this user group with a similar problem in the past and have had great help, but this one seems to be a new problem: It looks like the affected machine has been rooted by a t0rn roootkit and then used to install a mail relay running on port 9020. This guy was pretty bold and rather cheeky, even creating a directory in his name in the roothome directory. In this directory he seems to also have left a file which seems to contain his hotmail address. This is only by the way. The REAL problem I am having is this: chkrootkit has given the following: Searching for suspicious files and dirs, it may take a while.../usr/lib/libsh/.bashrc /usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.bash_history /usr/lib/libsh/.owned /lib/security/.config/usr/lib/libsh/.backup /usr/lib/libsh/.sniff /usr/lib/libsh/.owned /lib/security/.config Now the following: ns:~# cd /usr/lib/libshns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz Also: ns:/usr/lib/libsh# lsattr *-- hidens:/usr/lib/libsh# lsattr .b*-- .bash_history-- .bashrc ns:/usr/lib/libsh# lsattr .-- ./utilz-- ./hide Now try to delete: ns:/usr/lib/libsh# rm -rf *rm: cannot unlink `hide': Permission deniedrm: cannot remove directory `utilz': Permission deniedns:/usr/lib/libsh# ls -altotal 44drwxr-xr-x 6 root root 4096 Aug 21 08:38 .drwxr-xr-x 38 root root 12288 Aug 22 20:38 ..drwxr-xr-x 2 root root 4096 Aug 22 19:24 .backup-rw--- 1 root root 365 Aug 21 08:37 .bash_history-rwxr-xr-x 1 root root 1206 Apr 18 2003 .bashrcdrwxr-xr-x 2 root root 4096 Aug 22 19:24 .owneddrwxr-xr-x 2 root root 4096 Aug 22 19:24 .sniff-rwxr-xr-x 1 root root 2039 Aug 22 20:28 hidedrwxr-xr-x 2 root root 4096 Aug 22 19:24 utilz So it seems that the immutable attribute is not set on either of these files, but they can not be deleted. Also if I copy this directory to another place it becomes invisible. ie you don't see it with ls, but you can change to it with cd. Make sense? I have done a fresh re-install of all commands used above. And I will be complately rebuilding the compromised box, but I am still intrigued by this. Anybody like to have a go? Best regards, Andreas Didnt you post this like a week ago and get answers? Just curious if my mail reader is acting up. Jason Edson
Re: hacked: can't delete files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andreas Hatz wrote: ns:/usr/lib/libsh# rm -rf * rm: cannot unlink `hide': Permission denied rm: cannot remove directory `utilz': Permission denied Oh, really fun... Well, you've been r00ted, so be careful and use tripwire in the future ;). - -- .---. | ^. .^ | Meow! I'm a little kitten trapped in this .signature cookie! | = ^ = | Let me out and I'll be your friend. | v---v | And remember: each time you use Windows, God kills a kitten! `---' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDCtdhoMxqz7LeBAgRAtBWAKDqD4k/2tvyO1IplbLpYaF+MADU6ACgubId KEPuNscRH+4uWtD8ACZKaqY= =rR7N -END PGP SIGNATURE- begin:vcard fn:Yuri Gorshkov n:Gorshkov;Yuri email;internet:[EMAIL PROTECTED] note;quoted-printable:ICQ UIN: 147097952=0D=0A= IRC: RusNet, Wild, Wild[pda] (use irc.rinet.ru:6669)=0D=0A= Jabber ID: [EMAIL PROTECTED] Yahoo: connect_failed=0D=0A= GPG key ID: B2DE0408=0D=0A= GPG key fingerprint: 2407 9EDA ABC1 9204 D21F 2D34 A0CC 6ACF B2DE 0408 x-mozilla-html:FALSE version:2.1 end:vcard
Re: hacked: can't delete files
On Tue, 23 Aug 2005, Arne [utf-8] Götje ([utf-8] é«çè¯) wrote: On Tuesday 23 August 2005 12:57, Alvin Oga wrote: personally... i think any hacked machine should be looked over carefully to be able to answer the following: - who broke in - how did they get in - why did they break in ( sometimes there's no answer ) - where they came from - how many times did they come in - how many prev attempts did they try - how long before you noticed them - what other machines did they break into ( esp for those of you that like passwordless logins ) - what text files were read or edited - which binaries and libraries did they modify - what extra directories and files exists - what did they sniff and for how long ( passwds ) - .. endless list .. Nice... can you also provide some info on how to find answers to these questions? This would be very useful... just in case. :) it's not one place or a document .. its a lot of work to find those answers stuff in no particular order .. but more for your thought process to attempt to answer the above questions ... first step ... - backup everything BEFORE you are hacked and do not overwrite last week or last months backup - change all your loginID and passwds - disallow everything insecure... which could be a weeks worth of changes to any system from a basic cdrom install ( no pop3, no telnet, no ftp, no dhcp, no wireless, no vpn, etc ) 2nd step ... - decide if you are gonna prosecute any successful breakins and how you are gonna do that and why and follow police process and proceedure ( get them involved asap ) 3rd step ... - to do forensics, how much time does it take ?? maybe a few hours, maybe a few weeks ... is it worth the time ?? - first check all your binaries are intact against your backups and other duplicate systems ( or use knoppix or equivalent to check your hacked disk ) - take that hacked disk offline or not and you'd of course have a different backup system running all your services except for the vulnerability that was exploited - personally, i prefer to leave the hacked disks unaltered to see and watch them live and hopefully everybody ( law enforcement ) is also watching the 2nd time around that we can pinpoint where the cracker is 4th step ... - look over all your files... one by one to see what they changed or edited or removed ... - anything left over is what they left for you to use to track them down .. - obvious thing is to look at log files, but smart crackers will wipe out or clean the /var/log before they leave - no magic about how to find all those answers ... just lots of time and preparedness fun stuff ... c ya alvin
Re: hacked: can't delete files
If you want to press charges and if the attack had anything in anyway related to thed United States then contact the US FBI. Why? I don't know, but that is what the news companies here in the US suggest. The fact that you have the attacker hotmail address is nice. Belive it or not the cracker may be more than willing to discuss the break-in. On the other hand, trying to contact him or her[1] may make it harder to ever procecute him/her simply because it could scare him/her into hiding. If the breakin was on a machine with nothing too important, i would persoanly try contacting the cracker, but that is just me. [1] I'm not sure I have heard of female crackers, but I'm fairly sure they exist, or at least could exist. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hacked: can't delete files
Hello world!\n On Tue, Aug 23, 2005 at 02:06:24PM +1200, Andreas Hatz wrote: Hello, Now try to delete: ns:/usr/lib/libsh# rm -rf * rm: cannot unlink `hide': Permission denied rm: cannot remove directory `utilz': Permission denied This could be caused by modified rm or some kernel module. The easiest way is to boot to knoppix and remove this. Then delete the whole system and install new ;-) -- Dalibor Straka -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hacked: can't delete files
On Tue, 23 Aug 2005, Dalibor Straka wrote: ... ns:/usr/lib/libsh# rm -rf * rm: cannot unlink `hide': Permission denied rm: cannot remove directory `utilz': Permission denied fun stuff ... This could be caused by modified rm or some kernel module. The easiest way is to boot to knoppix and remove this. Then delete the whole system and install new ;-) if you're gonna re-install ... - just wipe the disk and install, why bother with knoppix ?? personally... i think any hacked machine should be looked over carefully to be able to answer the following: - who broke in - how did they get in - why did they break in ( sometimes there's no answer ) - where they came from - how many times did they come in - how many prev attempts did they try - how long before you noticed them - what other machines did they break into ( esp for those of you that like passwordless logins ) - what text files were read or edited - which binaries and libraries did they modify - what extra directories and files exists - what did they sniff and for how long ( passwds ) - .. endless list .. - reinstalling a hacked box is the worst thing to do in my book but by the same token is the best if you don't want to answer the above questions, esp how did they break in - since they sniffed ytour wire, what's yur new passwd or are you gonna use the same loginID and passwords ?? ( why bother reisntalling if you don't at least change these ) - remove their trojans, apply your patches and see if they can break in again ... they willl probably be back to knock on your door again, but more quietly the 2nd time - change your passwd only on the local console, and NEVER change passwd remotely - gazillion things to do after a breakin ... - it's 1000x cheaper to prevent the initial breakin .. c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hacked: can't delete files
On Tuesday 23 August 2005 12:57, Alvin Oga wrote: personally... i think any hacked machine should be looked over carefully to be able to answer the following: - who broke in - how did they get in - why did they break in ( sometimes there's no answer ) - where they came from - how many times did they come in - how many prev attempts did they try - how long before you noticed them - what other machines did they break into ( esp for those of you that like passwordless logins ) - what text files were read or edited - which binaries and libraries did they modify - what extra directories and files exists - what did they sniff and for how long ( passwds ) - .. endless list .. Nice... can you also provide some info on how to find answers to these questions? This would be very useful... just in case. :) Cheers Arne -- Arne Götje (高盛華) [EMAIL PROTECTED] (Spam catcher. Address might change in future!) PGP/GnuPG key: 1024D/685D1E8C Fingerprint: 2056 F6B7 DEA8 B478 311F 1C34 6E9F D06E 685D 1E8C Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. pgpqcLaLWoKT1.pgp Description: PGP signature
