Protollix
05-01-03, 06:26 AM
Ok, I am no security expert, but I am a fast learner and usually resourcefull on the net. I can find information out fairly quickly.
Anyhow, I just wanted to run this by people here and see what you have to say.
About a week or so ago, I got a RedHat notification about an exploit in fileutils (I think) and that it should be upgraded. So I tried to do the usual rpm -Uvh rpmname.rpm
that didn't work because of the attributes set on the files involved (ls, mv, cp, etc) So for some reason I removed the rpm package (rpm -e rpmname.rpm)! Of course this removed utils like "mv" and "ls" that I kind of need to run the system. It was like 4am. I had just put in 16 or so hours on site at a client's office and been up for like 36 hours. I was TIRED as all getout. Still no excuse for doing something so stupid.
Anyhow, I tried to reinstall the rpm and apparently the uninstall didn't remove everything and left a couple things around. So the rpm re-install failed. I finally got it installed by removing all the attributes from the files and then resetting them afterwards.
However, I am now seeing this from chkrootkit output after this happened:
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
I was just *assuming* that pstree and login were part of the fileutils package since I started noticing it right after the above "accident" happened. However, pstree and login is NOT part of fileutils. To be honest, I am not sure which package they are a part of now, but I around noon I will be investigating such things further.
On with the story. Along with this, I am getting other message from chkrootkit about possible trojans installed. I equated this with the above two files and thought nothing of it. I noticed in the cpanel update log, cpanel tried to update netutils (??) and something else.
Anyhow, today I received a message from CPanel about hidden PIDs. Seems a customer has installed three eggdrops. I know this guy, and we are in gaming clan together. He's a good all-around guy, but he does do some warez stuff. Now, what he does in his personal time is of no concern to me. However, these eggdrops were being used for warez purposes (DAL.net apparently) on MY server. I don't think he was storing warez ON the server, but it's dealing in illegal activities so I killed the processes and emailed him about it.
I also found a bouncer on the system:
binary location: [/dev/proc/kaka/psybnc]
Another possible security problem and something that shouldn't be running.
With that said, I saw this for the first time (I believe) today:
Checking `aliens'...
/dev/proc/****it/fk.tgz
I also killed a process today called <startdir>/****it/haxor
That really caught my eye, but I wasn't quite sure what it was.
I have also been seeing this for a littlle while:
Searching for Romanian rootkit ... /usr/include/file.h /usr/include/proc.h
*sigh*
So apparently I have been rooted, no? I cannot check the system right now as I had to run to a client's site again. Around noon I can work on this though and will be for the rest of the day. Am I going to have to reinstall the OS (ARGH!!)?
Like I said, security is not my main strength, but it is something I have been reading more and more on since I started hosting.
I had firewall rules in place, but apparently irc ports are still open (I have that range specifically blocked). Is bandmin messing up my ipchains?
Needless to say, I am not a happy camper right now.
Anyhow, I just wanted to run this by people here and see what you have to say.
About a week or so ago, I got a RedHat notification about an exploit in fileutils (I think) and that it should be upgraded. So I tried to do the usual rpm -Uvh rpmname.rpm
that didn't work because of the attributes set on the files involved (ls, mv, cp, etc) So for some reason I removed the rpm package (rpm -e rpmname.rpm)! Of course this removed utils like "mv" and "ls" that I kind of need to run the system. It was like 4am. I had just put in 16 or so hours on site at a client's office and been up for like 36 hours. I was TIRED as all getout. Still no excuse for doing something so stupid.
Anyhow, I tried to reinstall the rpm and apparently the uninstall didn't remove everything and left a couple things around. So the rpm re-install failed. I finally got it installed by removing all the attributes from the files and then resetting them afterwards.
However, I am now seeing this from chkrootkit output after this happened:
Checking `login'... INFECTED
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
I was just *assuming* that pstree and login were part of the fileutils package since I started noticing it right after the above "accident" happened. However, pstree and login is NOT part of fileutils. To be honest, I am not sure which package they are a part of now, but I around noon I will be investigating such things further.
On with the story. Along with this, I am getting other message from chkrootkit about possible trojans installed. I equated this with the above two files and thought nothing of it. I noticed in the cpanel update log, cpanel tried to update netutils (??) and something else.
Anyhow, today I received a message from CPanel about hidden PIDs. Seems a customer has installed three eggdrops. I know this guy, and we are in gaming clan together. He's a good all-around guy, but he does do some warez stuff. Now, what he does in his personal time is of no concern to me. However, these eggdrops were being used for warez purposes (DAL.net apparently) on MY server. I don't think he was storing warez ON the server, but it's dealing in illegal activities so I killed the processes and emailed him about it.
I also found a bouncer on the system:
binary location: [/dev/proc/kaka/psybnc]
Another possible security problem and something that shouldn't be running.
With that said, I saw this for the first time (I believe) today:
Checking `aliens'...
/dev/proc/****it/fk.tgz
I also killed a process today called <startdir>/****it/haxor
That really caught my eye, but I wasn't quite sure what it was.
I have also been seeing this for a littlle while:
Searching for Romanian rootkit ... /usr/include/file.h /usr/include/proc.h
*sigh*
So apparently I have been rooted, no? I cannot check the system right now as I had to run to a client's site again. Around noon I can work on this though and will be for the rest of the day. Am I going to have to reinstall the OS (ARGH!!)?
Like I said, security is not my main strength, but it is something I have been reading more and more on since I started hosting.
I had firewall rules in place, but apparently irc ports are still open (I have that range specifically blocked). Is bandmin messing up my ipchains?
Needless to say, I am not a happy camper right now.