• My system was hacked...how?

    From Andres@110:300/1.98 to All on Thu Aug 4 19:38:06 2011
    Hello,
    One of my linux servers was hacked recently. I closed all connections
    to the offending IP (japan) and now I am looking at what happened.

    I found the following files on /dev/shm/tmp:
    binariy executables: do, ss
    scripts:

    I ldd do and it is linked using libc.so.6 and ld-linux.so.6. ss is
    not a dynamic executable (does that means that is statically linked?)

    Also a bunch of ascii files. Each one of those files containing a list
    of Ip addresses...a lot of them.

    go script:
    ./ss 5901 -a $1 -i eth1 -s 8
    cat bios.txt | sort | uniq > $1.vnc
    ./do $1.vnc
    rm -rf bios.txt
    sh x

    do script:


    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From Andres@110:300/1.98 to All on Thu Aug 4 19:42:41 2011
    Hello,
    One of my linux servers was hacked recently. I closed all connections
    to the offending IP (japan) and now I am looking at what happened.

    I found the following files on /dev/shm/tmp:
    binary executables: do and ss
    script: go

    I issued a "ldd do" and it is linked using libc.so.6 and ld-linux.so.
    6. ss is not a dynamic executable (does that means that is
    statically linked?)

    Also a bunch of ascii files. Each one of those files containing a list
    of Ip addresses...a lot of them.

    go script:
    ./ss 5901 -a $1 -i eth1 -s 8
    cat bios.txt | sort | uniq > $1.vnc
    ./do $1.vnc
    rm -rf bios.txt
    sh x

    pass script:
    -----
    aloha
    delta
    alohaboh
    kyma
    pos

    --------------

    Before I closed the connection I did a ps -ef and I got this:

    ./ss 5901 -a 209 -i eth1 -s 8

    there were lots of traffic going to certain IP on japan listening in
    port 5901 at that moment.


    How can I detect what security breach was exploited on my system?

    Thank you very much,
    Adnres


    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From unruh@110:300/1.98 to On 2011-08-04, Andres on Thu Aug 4 23:11:41 2011
    On 2011-08-04, Andres <vandresv@gmail.com> wrote:
    Hello,
    One of my linux servers was hacked recently. I closed all connections
    to the offending IP (japan) and now I am looking at what happened.

    That is far from enough. If it has been hancked you have to assume he
    can get into your system from anywhere in the world. Your closing off
    that one IP will not stop him for even a millisecond (In fact that IP
    was probably a machine he had hacked into before and he is entirely
    elsewhere.

    Remove the machine from the net entirely. Wipe it and reinstall. Then
    after restoring the backup and before connecting it to the net, so a
    search for suid/guid files, especially root files. And search
    everywhere, even ( and especially) in /tmp, /dev, /proc, /sys,....

    find / -perm /6000
    and check each and every one of those files to make sure it should be
    suid or sgid.
    I had a root hack, and there were suid files like /tmp/banana,
    /dev/.sda1, /home/unruh/..newsrc
    which were clearly files to be used for breaking in.




    I found the following files on /dev/shm/tmp:
    binariy executables: do, ss
    scripts:

    I ldd do and it is linked using libc.so.6 and ld-linux.so.6. ss is
    not a dynamic executable (does that means that is statically linked?)

    Also a bunch of ascii files. Each one of those files containing a list
    of Ip addresses...a lot of them.

    go script:
    ./ss 5901 -a $1 -i eth1 -s 8
    cat bios.txt | sort | uniq > $1.vnc
    ./do $1.vnc
    rm -rf bios.txt
    sh x

    do script:


    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From Lusotec@110:300/1.98 to All on Fri Aug 5 12:44:59 2011
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Andres wrote:
    One of my linux servers was hacked recently. I closed all connections
    to the offending IP (japan) and now I am looking at what happened.
    (snip)

    Completely disconnect the machine from the network. Blocking a IP will do nothing to stop an attacker. The forensic analysis should be done with the compromised system off-line.

    Also report the case to the authorities. Your system may have been used to attack other system, and you don't want to be seen as a suspect.

    How can I detect what security breach was exploited on my system?

    1) Check the logs.

    2) Compare the files in your compromised system against the files in a known good backup, in particular executable and configuration files.

    3) Consult an expert.

    Regards.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAk47yasACgkQGQjO2ccW76rVEgD+Kzaw+s5Mlf1cl3WpQPNK4j+m Vtyk28Yy/KO8PdvS0psA/RuIkTCn1Pngwfie+L9Vk9Tyq3aodQWyeuFdkEunEnZx
    =yHco
    -----END PGP SIGNATURE-----


    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)
  • From Jack McCue@110:300/1.98 to Lusotec on Fri Aug 5 14:47:54 2011
    Lusotec <nomail@nomail.not> wrote:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    <snip>

    Also report the case to the authorities. Your system may have been used to attack other system, and you don't want to be seen as a suspect.
    very good advice, I whould never have thought of this, filed
    just in case :)

    <snip>
    John

    --- FIDOGATE 4.4.10
    * Origin: FTN Gate on kofobbs.net (110:300/1.98)