lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 5 Dec 2011 10:58:29 +0000
From: Dan Ballance <tzewang.dorje@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: one of my servers has been compromized

I'm no expert, but here's something to get you started while you wait for
more experienced replies. Check for root kits:

sudo apt-get install rkhunter
sudo rkhunter --update
sudo rkhunter --check

On 5 December 2011 10:44, Lucio Crusca <lucio@...web.org> wrote:

> Hello *,
>
> I'm not new here, but I've mostly lurked all the time through gmane. I
> never
> believed it could happen to me until it actually happened: they compromized
> one of my servers. It's a Ubuntu 10.04 server with all security patches
> regularly applied. I'm inclined to believe they used some hole in the web
> application, which is a old customized Virtuemart version (1.1.3), which is
> not upgradable because of the invasive code customizations (I'm not the
> author of that code, so I have no clue about what had been changed back
> then).
>
> Now the problem for me is to track down the security hole. Here is the
> email
> my provider received and forwarded to me:
>
> > Subject: ISP Report; botnet activity on irc.undernet.org
> > [...]
> >
> > Hello, I am an operator on the irc chat network,
> > irc.undernet.org and i would like you to investigate the
> > owner of the Ip addresses that are listed at the foot of this
> > email.
> >
> > This/These host(s) have likely been compromised, and had an
> > altered/rogue process installed on it, and was part of a botnet
> > that was found on our network.
> >
> > The exploit or compromise running on this system is likely
> > to be an irc bot. Can you please alert the person who is
> > responsible, for its security to patch/upgrade, remove the
> > irc process and secure their system.
> >
> > = Unix System owners =
> > A favourite place for hiding the bot(s) is in tmp
> > and in /var/tmp/ or /dev/shm/ or in a users home directory
> > sometimes it may be hidden like /tmp/".  ."/ or similar.
> >
> > The bot files can usually be found by running these one line
> > commands as the root user.
> >
> > find / -exec grep -l "undernet" {} +
> > find / -exec grep -l "sybnc" {} +
> > find / -name "*.set" | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq
> > find / -name "inst" | perl -pe 's/.\/\w+-(\w+)-.*/$1/' | sort | uniq
> >
> > netstat -tanp
> > lsof -i tcp:<Port number>
> >
> > *netstat looking for connections to remote port 6667 or the
> > range of ports between 6660-7000 once you find the port you
> > can use the command, lsof -i tcp:portnumber to determine
> > which process/user it is running under, and terminate it.
> >
> > = Windows System Owners =
> > most windows bots are mIRC scripted bots and generally
> > need a file called mirc.ini to run, you should search for
> > this file. Run a good antivirus scanner and firewall.
> >
> > This Ip/host may be removed from our Irc network due to the
> > risks it presents to our users.
> >
> > Should you need any help with removing the files or bot
> > process, feel free to contact me by mail or on our network,
> > which you connect to using any irc client and issuing
> > /server irc.undernet.org
> >
> > I look forward to your reply
> > Scot
> >
> > * Affected host/IPs, capture time is GMT+1: United kingdom
> > and servers they were connected to.
> >
> > Please note: when resolving server names to IP Addresses
> > that all our servers end with .undernet.org (for example)
> > Tampa.FL.US. is actually  Tampa.FL.US.undernet.org
> >
> > Important: If you reply to this mail needing further
> > information, please leave this mail intact, or supply us
> > with the IP Address(es) in question, as we reference these
> > mails by the unique IP Address
> >
> > Time of Capture: DECEMBER 3, 2011 10:03:48 PM
> >
> > List of IP address(es) and server it connected to:
> > my.server.ip.address (CHICAGO.IL.US
> >
> > BUDAPEST.HU.EU
> >
> > MONTREAL.QC.CA.undernet.org)
> >
>
> I've run the "find" commands and found a number of file with the first
> "find", under /tmp/.m
>
> Deleted them, looked up remote connections with netstat, killed perl
> processes that where trying to connect to port 6959 (only trying because
> I've now set up iptables so that they actually can't), but those processes
> kept spawning. Checked crontab of www-data, found the launcher, removed it.
>
> Now the problem is: how do I pervent further abuse? What should I search in
> the logs (if anything) to spot the security hole?
>
> TIA
> Lucio.
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ