been hacked / rootkit

pallys

pallys

pallys

Associate
Joined
2 Jul 2004
Posts
1,432
My server has been compromised. Running FC4, Kernel 2.6.17. I logged in via terminal and noticed the last login was via an unknown IP to me so was suspicious.
Then I tried to shutdown machine and got the following:

Code: 
Broadcast message from root (pts/0) (Tue Dec  9 18:50:41 2008):

The system is going down for system halt NOW!
/dev/null
[COLOR="Yellow"]****[/COLOR]: Can't open /dev/kmem for read/write (2)
[root@linux ~]#

What can I do now? I was just thinking of upgrading inplace to FC10. Data wise I'm OK, but the server scripts have been customised a lot and I feel like I will lose too much custom setup if I have to re-format and go through it all again.

Is it possible to just clean and remove all the offending bits etc?

Many Thanks.

Output of Chkrootkit below:

Code: 
[root@linux chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... INFECTED
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not found
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... INFECTED
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi/auto/Net/SSLeay/.packlist /usr/lib/perl5/5.8.6/i386-linux-thread-multi/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit...  /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... Warning: /sbin/init INFECTED
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... Possible ShKit rootkit installed
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... You have    14 process hidden for readdir command
You have    95 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
chkdirs: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient, /sbin/dhclient)
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... chkutmp: nothing deleted
[root@linux chkrootkit-0.48]#
 
OK thanks guys, will bite the bullet and do a reformat and reinstall fresh, and customise the box again.

eXor said:
Linux hacked? Surely not! :p

If your custom scripts are not too long, you could save them. When you reinstall, go over them with an electron microscope.

Did your server allow remote access ( ssh ) ?
Click to expand...
Yeah I needed it to have SSH access (with password). My only mistake I can think of is allowing Root login. I would never had expected that to be compromised, so we cannot even trust SSH anymore :confused:, behind router firewall, ports were blocked except 80, 21, 22, server had not run any new executables for the past 2 years.

Rich43 said:
FC4 is very old, i doubt its still supported. you got what you diserve.
Click to expand...
It was updated to FC7 via YUM, the Kernel is reasonably new 2.6.

Can someone recommend me a different server dist? (Main requirement is LAMP) Might be a good time to change now.

Never had this problem with my window boxes and there used for the majority of the time always doing 'new' things,

I can scarcely believe it :eek:, its supposed to be the other way around :(
 
Thanks for the tips guys. Went with Debian and it seems so much more organised than FC.

Have disabled root login, and using fail2ban (like DenyHosts but better).

Better make a backup image this time...
 
DazW said:
Changing SSH port is OK.. but it's not really the answer. You need to find out HOW they got in.. if it was via SSH, it's not because it was on port 22, it's because something was exploited/username and password guessed etc.

All changing the port does is stop people "stumbling" across the fact that SSH is open. Did they even get in via SSH originally? Or did they exploit another service which then allowed them to login via SSH? Did they even use SSH? Lots of different things to consider.

Anyway, it looks like you've moved to Debian now.. just keep up to date with security.debian.org - apt-get update/apt-get upgrade. Also subscribe to the Debian Security mailing list, so when new packages get uploaded, you can see if you use them and if so, get the upgrade done ASAP.
Of course, even this isn't completely safe, but then.. the only way to fully secure a server is to turn it off.. which isn't always ideal.. so it's the next best thing. :D

Good choice on choosing Debian! :)
Click to expand...

I think it was through SSH, because when I logged in as root it said the last time it was logged in was through IP 79.117.98.85 and this IP had nothing to do with me. The root pass was still the same. Could have been through a different service then to SSH but was so difficult to tell. The logs had been tampered as had many of the other commands like top, ps.

Even if it was hijacked through another service, how would they have derived the root password ? I haven't stored it on the system and AFAIK its not available to read from anywhere? and the most you could do is reset it.

(I haven't changed the port, thats what someone else was doing.)
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom