Ok, I would not of thought of this 2 weeks ago, but since I have been reading thse forums, Im not ruling it out. My server is on a IP but that is it, not yet made public, over the last day I noticed something out of place. I saw this in inetd.conf

96534 stream tcp nowait root /bin/sh sh -i

I DO not remember adding that. I recently installed snort and trip wire, but I dont think those put it there.
sh is a link to bash. I noticed it running yesterday, also running was pscan, I never remember running that, its located in /usr/src/redhat/SPECS/abind/pscan

Any Ideas on any this? I checked the last log, I have tried some other things and just cant find anything.

Originally posted by davidb
Ok, I would not of thought of this 2 weeks ago, but since I have been reading thse forums, Im not ruling it out. My server is on a IP but that is it, not yet made public, over the last day I noticed something out of place. I saw this in inetd.conf

96534 stream tcp nowait root /bin/sh sh -i

I DO not remember adding that. I recently installed snort and trip wire, but I dont think those put it there.
sh is a link to bash. I noticed it running yesterday, also running was pscan, I never remember running that, its located in /usr/src/redhat/SPECS/abind/pscan

Any Ideas on any this? I checked the last log, I have tried some other things and just cant find anything.

That definitely looks like a root kit. It could have been compromised any number of ways. Could have been something like the 1i0n worm, a BIND exploit, any type of root kit. It could have installed any number of things, including backdoors, etc. My suggestion to you, is to haave someone go through, check what services you're running, disable the one's that aren't needed, obviously remove anything this root kit (or whatever) has installed (or could have installed) and is running and change your passwords ASAP. Also, make backups of the logs, history, etc., in case anything was left there (don't count on that being likely, but it's not all that uncommon either), replace all the programs that could have been altered (like top, su, ps, etc.), any common scripts, whatever.

Did you install Tripwire to preserve a snapshop of your system? Check your files, like /etc/passwd for anything unusual. Check for off the all cron jobs, etc. Check your system and other files for any user's that shouldn't be there. Create backups of anything such as that, to show what was done, in case there are logs to show who did it. Back up all your data, if you are able, onto a clean media. If this was indeed a compromise, the best thing you can do, is reinstall. If that's not possible, that's too bad, but you should do everything you can to check out and make sure all the services running, all the programs that can be ran and all the ownerships, permissions and whatnot, are all in order on any file that matters.

There's certainly more to this and to do, but that's a general idea. I don't think I could possibly put everything in detail of what to do and it's difficult to guess what happened and to what extent with the information you gave, of course. However, it does indeed look like someone rooted your server and it needs to be checked into and something done about it ASAP.

It says he did install tripwire, but it sounds as if he installed it after the fact not before it was compormised if it actually was

Originally posted by cbaker17
It says he did install tripwire, but it sounds as if he installed it after the fact not before it was compormised if it actually was

That's what I was thinking too, which was worth mentioning (I don't know why I neglected to), thanks.

I dont know, I dont have many services running. It just does not look like anything has been comprimized. with exception to inetd.conf. First I thought sh was was just created in that directory, but I checked another rh system and that had it too. I did have tripwire installed before this happend, but this morning, I changed some things around and tripwire --init to get the new settings. Also if this was in inetd.conf, it needed something in services to point to it right? Does anyone have a checksum for bash on RH 6.1 or know where I can get one? When I run last, I get all the logins, all from myself. I really looked around, if this was such a good job of hiding all logs, why would someone leave that line that stands out in inetd.conf? I dont know, Ill prob look around some more then end up reinstalling everything, another 20 hours heh.

Originally posted by davidb
I dont know, I dont have many services running. It just does not look like anything has been comprimized. with exception to inetd.conf. First I thought sh was was just created in that directory, but I checked another rh system and that had it too. I did have tripwire installed before this happend, but this morning, I changed some things around and tripwire --init to get the new settings. Also if this was in inetd.conf, it needed something in services to point to it right? Does anyone have a checksum for bash on RH 6.1 or know where I can get one? When I run last, I get all the logins, all from myself. I really looked around, if this was such a good job of hiding all logs, why would someone leave that line that stands out in inetd.conf? I dont know, Ill prob look around some more then end up reinstalling everything, another 20 hours heh.

You might not need many services running, just one dangerous one, as I'm sure you're aware. All it takes, is for one file to have something out of the ordinary to indicate that the system was indeed compromised. Of course, that can be anything else to, if it was a legit service. I just don't recognize it as one at all. The sh is just a shell, and it looked to me, that that service was installed to run as root, having an open shell for remote commands to be send to that server and execute bash shell commands as root. That, to me, appears to be a definite compromise. Also, I'm curious of how you know tripwire was installed before this happened? Was it the program that actually notified you that the file was changed? I assume so?

Finally, you might not see anything in any logs as per log ins or history, as this could have been a remote exploit. Do you run DNS on this system? Do you have BIND on it, and run named? As for leaving things that stand out, yet not leave any logs. How many people really check the inetd.conf file that often, let alone any other's? If people checked files and noticed things a lot, few of the root kits, exploits and backdoor's would be sucessful. Not being noticed, is the reason to install services to run that no one else will likely notice are there. You need to check for a few things on top of this, such as seeing if your server is running in permiscuous mode or has any logging or sniffing tools installed. Again, they might not have logs, because they might have used an exploit, which is likely unless it was a local exploit by a user on the system (if you have any), or they could have used a tool that cleans up their log trail.

There are tools that simply go in and basically strip out their logs and leave all the others -- so it doesn't look like anyone logged in or did anything or were ever there. If you noticed logs missing (which some cracker's often do just remove), than it would be obvious that someone broke in. This is why there are tools cracker's can use to remove any evidence they were there in the history, logs, etc. That's to say, if a large chunk of logs was missing, you'd know to look for things -- of course, most people that run servers also don't really check their logs much either, so different cracker's do different things.

Further, they do and have to leave something if they want further access, even if it's a worm, so even though logs and such might not be there or appear to have any log in's or exploits done, they still can have something running, such as that -- be it a worm or a different type of program or service that was installed. Actually, I shouldn't say "services running", since this 'service' would only be active if it was called, since it's inetd and not just running and waiting. It waits for a connection before it runs.

I am pretty sure tripwire was installed before, this install is a week old, I been doing security on it for the last week(what good that did, heh), and I been checking on inetd.conf a lot, along with other files, so I am pretty sure this is recent. Also what concerns me, if bash, which seems to be what the kit was installed to, was modified, wouldnt the date on it reflect this, because the date is not recent. Also would doing a sum on bash and on another rh 6.1 system, that would bring up the same value if it was mot modified. What also is confusing me is why they did not go after the other server, this one has really nothing on it, if they were scanning this block of ips, i really think they would of gone after the other one because it has no security and much more running. I am running bind, bind 9. I do not dissagree that it was a exploit, I just wish I could findout what, because when I reinstall, im going to do just what I have done for the last week, and there will still be the exploit

Am i missign something?? If you installed tripwire before this happened, why not just run it ans see whats changed???

Originally posted by davidb
I am pretty sure tripwire was installed before, this install is a week old, I been doing security on it for the last week(what good that did, heh), and I been checking on inetd.conf a lot, along with other files, so I am pretty sure this is recent. Also what concerns me, if bash, which seems to be what the kit was installed to, was modified, wouldnt the date on it reflect this, because the date is not recent. Also would doing a sum on bash and on another rh 6.1 system, that would bring up the same value if it was mot modified. What also is confusing me is why they did not go after the other server, this one has really nothing on it, if they were scanning this block of ips, i really think they would of gone after the other one because it has no security and much more running. I am running bind, bind 9. I do not dissagree that it was a exploit, I just wish I could findout what, because when I reinstall, im going to do just what I have done for the last week, and there will still be the exploit

The attackers might have modified your tripwire scan contents so everything will look OK. You can change dates on files with touch. Also, the attackers might have changed the sum executable to make everything look normal.

They might have compromised the other server, you never know.

This probably isn't anything out of the ordinary, but as soon as you suspect something is wrong, it's good to do a clean reinstall. If you're using plain RH, there are several good security scripts, if you want to save some time (they wouldn't do everything, of course).

Tell us how this turns out...

Ya, I changed some things today, and I ran tripwire --init
so, unless im wrong(little experince with tripwire) it updated its database, and so whatever changes were made, were made normal. Also, Im doing a portscan on my system, and I see a few things I do not like:

I got
kyrpyolan on 396
ljklogin on 472
npmp-gui on 611
and finally
CADLOCK or Der Spacher Trojan on 1000

Some other things, Once I saw the last one I stopped posting others.

Umm you need to view the database once its created to see the changes

ug, sometimes I can be a real idiot. After updateing the database, I ram tripwire --check is that what you mean?

Originally posted by davidb
I got
kyrpyolan on 396
ljklogin on 472
npmp-gui on 611
and finally
CADLOCK or Der Spacher Trojan on 1000


Are those the names from /etc/service or the names of the programs listening on the ports? You can never be sure if an HTTP server is actually on port 80, for example--it could be a SMTP server. Unless you can verify that the names listed next to the port numbers in /etc/service match the actual program names running on those ports, you can't be sure. One time I was running a HTTP server on 31337 (don't ask) and I forgot about it. A few days later, while doing a routine nmap, I saw it and completely freaked out--I had forgotten.

At this point it would probably be best to cut off Internet access to your computer so it can't be taken over further or used as a jumping point for anyone to attack other systems (you could get sued for negligience). If you can somehow connect to its serial port and work from there to assess the damage (or even to see if this really is a trojan), that would be best. Then do a clean reinstall but save the logs so you can pursue this attacker if you wish (or maybe there's a better way to save the logs).

Well, I think I just gone insane. The same ports did not come up, acually not only did they not come up, but new ones did. The same thing happend a third time around. I am loosing my mind. Any advice, ie what am I doing wrong.

Also I checked services, most of those did not have a thing in services pointing to them.

Anyone know someone, who they trust, willing to look at systems and give their opinion for free?