Hack Attempt?


Results 1 to 6 of 6

Thread: Hack Attempt?

  1. #1
    Join Date
    Jun 2003
    Location
    People's Republic of North America (Former United States)
    Posts
    849

    Hack Attempt?

    I tried googling around to see if I could find anything on this but no luck. One of our developers found this on one of our production Linux servers at work. It's RHEL 4.5 (yes, I know it's old but he has code that he would have to rewrite to bring it up to 5.5 or 6.) I guess the best way to explain this is to just post the email he sent out yesterday. Has anyone ever seen this before? Here is the email he sent:

    "While doing some testing with SFTP from MSBCRS to DANTOM, I came across some interesting facts. There may have been an infiltration on the Gila-Navigate server as far back as 01/15/2010.
    There were 2 cron jobs that appeared, one under root and one under suppor. The crontab entries are below. The crontab entry for root has been removed, and CRS has been informed of, and will take their own action on the suppor entry.

    I searched for the footprints (a crontab entry and a “.a” sub-directory) on all Linux servers and found the following contamination

    I found the directory where the infiltrator left his cache and copied it to my own directory for research purposes. We can try to remove it from where he left it if you like.

    Similar contamination has been found here:
    Host crontab owner directory
    GILA-CRSTEST bob Bob O’Malley (CRS) /tmp/.ICE-unix/.a/
    GILA-NAVIGATE root system /root/.hu/.a/
    GILA-NAVIGATE suppor CRS Support shared /home/suppor/ /
    MSBCRS mif Miranda Fulencheck /appl/crs/users/mif/.a/
    MSBCRS bob Bob O’Malley (CRS) /home/bob/.a/
    MSBCRS suppor CRS Support shared /tmp/.ICE-unix/.a/

    I do not believe any of the crontab owners know anything about this what their logins are being used for, but they should all change their passwords to be safe.
    CRS Support change the password for ‘suppor’ on 15-Dec-2010. They should be safe.
    The suppor contamination on GILA-NAVIGATE was to an impossible directory. Nothing could come of that.

    I recommend that all passwords for the logins listed above be changed, and that any trace of the hidden “.a” directories be removed.
    Unfortunately, I don’t know of any way to reverse-engineer the bogus httpd program to see what this ‘bot does. Further research on the internet may be called for here.

    Eric, have you heard of anything like this before?

    The crontab entries on GILA-NAVIGATE look like this:

    * * * * * /root/.hu/.a/update >/dev/null 2>&1
    * * * * * /home/suppor/ /update >/dev/null 2>&1

    That tells the standard Linux CRON to execute a command script once per minute for ever minute of every day. The script (called update) checks a few things, and then, if conditions are right, runs a private program called httpd. The version that the bot runs is compiled, so I can’t tell exactly what it does, nor how. But since httpd is the name under which the normal web server program runs, a sysadmin wouldn’t necessarily notice anything wrong."
    Last edited by klackenfus; 12-28-2010 at 01:57 PM.
    I equivocate, therefore I might be.

    My Linux/Unix Boxes:
    Home: Slackware 10, CentOS 5.3, RHEL 5, Ubuntu Workstation 9.10, Work: RHEL 5, CentOS 5

  2. #2
    Join Date
    Jul 2002
    Location
    Vladivostok, Russia
    Posts
    9,053
    The system is seriously out of date that makes it inherently insecure. What kernel are you running? I would not only wonder about the function of this but also about how the intruder was able to insert itself which is more relevant at this time.
    "I was pulled over for speeding today. The officer said, "Don't you know
    the speed limit is 55 miles an hour?" And I said, "Yes, but I wasn't going
    to be out that long."

    How To Ask Questions The Smart Way
    COME VISIT ME IN RUSSIA NOW!!

  3. #3
    Join Date
    Jun 2003
    Location
    People's Republic of North America (Former United States)
    Posts
    849
    JohnT,

    Yes, I know it is very out of date. I warned people here about this. Believe me, I knew this was a bad thing. However, I seem to be the voice crying in the wilderness. As for your question, the cringe inducing answer is as follows:

    uname -a

    2.6.9-89.0.3.ELsmp #1 SMP Sat Jun 13 07:05:54 EDT 2009 i686 i686 i386 GNU/Linux
    I equivocate, therefore I might be.

    My Linux/Unix Boxes:
    Home: Slackware 10, CentOS 5.3, RHEL 5, Ubuntu Workstation 9.10, Work: RHEL 5, CentOS 5

  4. #4
    Join Date
    Jul 2009
    Posts
    30

    Old MacDonald Had A Kernel...And Oh How Old It Was...hahaha!

    someone has failed their job description....

    sad...but common enough...

    all chains fail via their weakest links...

    in the end, either the weak links are eradicated...

    or the business fails and everyone loses...

    Either way, it's all copacetic...

    .

  5. #5
    Join Date
    Jul 2002
    Location
    New Orleans, LA USA
    Posts
    986
    If they have a valid reason (or even a silly reason from someone with more authority than you) to not upgrade the system, you can still upgrade just the kernel. Should the update break anything, it is one reboot away from using the older and you can step down until you find the highest version number that will work (though I don't really see what code they would have that would break with a kernel update).

    Reverse engineering a binary is no easy task and usually not worth the effort (unless making drivers for Linux of course!). I'd say the bigger problem is how the intruder got past your firewall to get to this out-of-date machine.

    You could setup a test server, but bogus info in your databases so not to leak any more info than you have already, and setup a packet sniffer. Remove the infectious code from your production server. Let it run, analyze the traffic while triggering the condition you mentioned. You should have smaller logs since it is not being accessed by the company, and you won't be leaking any info. You should then be able to at least see what it was sending out and to where. I put money on it went to China. Well over 80% of the banned IPs on my firewall resolve to a China based ISP.
    "Whenever you find yourself on the side of the majority, it's time to pause and reflect."

    -Mark Twain

  6. #6
    Join Date
    Jun 2003
    Location
    People's Republic of North America (Former United States)
    Posts
    849
    If they have a valid reason (or even a silly reason from someone with more authority than you) to not upgrade the system, you can still upgrade just the kernel.
    Oh, I know. I'm trying to force best practices on them. Slowly but surely, I'm getting there. The problem is, the guy I replaced was Windows only and the Linux servers got neglected. I'm a hybrid, I can do either Linux or Windows. However, I wear Tux shirts to work, so you know where my loyalties lie. :-)
    I equivocate, therefore I might be.

    My Linux/Unix Boxes:
    Home: Slackware 10, CentOS 5.3, RHEL 5, Ubuntu Workstation 9.10, Work: RHEL 5, CentOS 5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •