[NTLUG:Discuss] Intrusion and Detection

Kenneth Loafman ken at lt.com
Mon Dec 24 13:46:11 CST 2001 

Thanks to all that answered!

I don't know which ssh bug it was per se, but I do read bugtraq and it
has been out for quite a while.  My laziness caused this, not keeping
ssh up to date.  That was the only port going to the machine, except 7
for ping, and I can't remember any exploits, except DoS, for ping.

I've been doing some forensics and its an interesting root kit (like I
said, he left the entire .tgz on the system), not only do the usual
suspects get replaced, but they also do crond and crontab (crontab was
replaced by a binary, not text, file).  I have not disassembled the
cron* stuff yet, but I suspect I'll find that it ships some stuff off to
an IP addy that I can use to work backwards to the cracker (that plus
the firewall logs will eventually tell me where he came from).  It'll be
sort of like tracking spam, only I'll need to be more careful.  The IP
he's going to is possibly just a relay.

The other interesting part is the chattr to non-mutable on a bunch of
the files.  All that accomplished was a bit of head-scratching on my
part till I remembered about chattr.  Used that and find to locate some
of the files, but that was just the /bin stuff.  The kit hit /bin,
/usr/bin, /sbin and installed something called 'eu' in /usr/sbin (that
string appears in the binary crontab that he installed).

I also suspect that the kit was actually 2 kits tied together.  One of
the directories he used was hidden by the fake ls, while the other was
in plain sight.  Could be intentional, but some of the install code has
a different style and that makes me think its 2 kits.

Altogether, its been an educational few days.  Learned more about
security than I wanted to know, but its been fun.  The system did not
contain any sensitive data, more of a transfer point for me.  If he did
download anything, it was already encrypted and he'd need the
passphrase, and that's different than the password for SSH.

Its been fun, not as much fun as taking apart viruses, but fun indeed. 
Glad the machine was not a primary.  Gives me time to dissect and
examine.  Still trying to figure out what the goal of the attack was.  I
think I'll have to take things apart piece by piece until I find out. 
Its not obvious.

...Ken

More information about the Discuss mailing list