i just found that my home router (hey, it's not setup by me, i swear ;)) has been infected with zk. while i still can, i'm playing around to see what are the symptoms of it

the hacker left psybnc and 'mesh' running. what can 'mesh' be?

here's strace cat -h on a clean system:
hostname:~# strace cat -h
execve("/bin/cat", ["cat", "-h"], [/* 20 vars */]) = 0
uname({sys="Linux", node="hostname", ...}) = 0
brk(0) = 0x804b048
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=19456, ...}) = 0
old_mmap(NULL, 19456, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40014000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\30\222"..., 1024) = 1024
fstat64(3, {st_mode=S_IFREG|0755, st_size=1153784, ...}) = 0
old_mmap(NULL, 1166560, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x40019000
mprotect(0x4012c000, 40160, PROT_NONE) = 0
old_mmap(0x4012c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x113000) = 0x4012c000
old_mmap(0x40132000, 15584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40132000
close(3) = 0
munmap(0x40014000, 19456) = 0
brk(0) = 0x804b048
brk(0x804b070) = 0x804b070
brk(0x804c000) = 0x804c000
write(2, "cat: invalid option -- h\n", 25cat: invalid option -- h
) = 25
write(2, "Try `cat --help\' for more inform"..., 39Try `cat --help' for more information.
) = 39
_exit(1) = ?

and here's strace cat -h on the infected system
execve("/bin/cat", ["cat", "-h"], [/* 20 vars */]) = 0
uname({sys="Linux", node="debian", ...}) = 0
brk(0) = 0x804cd6c
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=17947, ...}) = 0
old_mmap(NULL, 17947, PROT_READ, MAP_PRIVATE, 5, 0) = 0x40018000
close(5) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY) = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200^\1"..., 512) = 512
fstat64(5, {st_mode=S_IFREG|0644, st_size=1244004, ...}) = 0
old_mmap(NULL, 1254244, PROT_READ|PROT_EXEC, MAP_PRIVATE, 5, 0) = 0x4001d000
old_mmap(0x40145000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 5, 0x127000) = 0x40145000
old_mmap(0x4014d000, 9060, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4014d000
close(5) = 0
munmap(0x40018000, 17947) = 0
open("/proc/uptime", O_RDONLY) = 5
read(5, "7006730.55 6837114.24\n", 128) = 22
close(5) = 0
getpid() = 8076
getpid() = 8076
open("/proc/8076/exe", O_RDONLY) = 5
read(5, "\177ELF\1\1\1\0\0\0\2\0xP\0\0\2\0\3\0\1\0\0\0-\272\4\010"..., 52) = 52
lseek(5, 20600, SEEK_SET) = 20600
fstat(5, {st_mode=S_IFREG|0755, st_size=25263, ...}) = 0
brk(0) = 0x804cd6c
brk(0x804dfa3) = 0x804dfa3
read(5, "\351\337\21\0\0\215v\0U\211\345\213D$\10\315\200\311\303"..., 4663) = 4663
close(5) = 0
signal(SIGCHLD, SIG_IGN) = 0x1 (SIG_IGN)
getpid() = 8076
pipe([5, 6]) = 0
fork() = 8077
--- SIGCHLD (Child exited) ---
read(5, "\376", 1) = 1
brk(0) = 0x804dfa3
brk(0x806efa3) = 0x806efa3
brk(0) = 0x806efa3
brk(0x806f000) = 0x806f000
write(2, "cat: invalid option -- h\n", 25cat: invalid option -- h
) = 25
write(2, "Try `cat --help\' for more inform"..., 39Try `cat --help' for more information.
) = 39
semget(1, 0, 0) = -1 ENOSYS (Function not implemented)
_exit(1) = ?

notice that SIGCHLD there? i wonder whereabouts that came from. did execve() get overwritten or something? hmm.

mesh sounds like a rename of emech which is a bot like eggdrop

yeah it could be.

i was a little frantic when i found them, so i destroyed some evidence while containing the damage (till i can reinstall the system). i could've sniffed the IRC traffic and searched for the executables.

strange thing is, this probably happened 81 days ago, when the server was rebooted abruptly (i thought the head admin rebooted it). i guess AIDE and a tight firewall could've detected this happening, if it was setup.

what kernel did you have running on it?

Linux version 2.4.24 (root@debian) (gcc version 3.3.3 20040125 (prerelease) (Debian)) #7 Wed Feb 11 17:58:32 EST 2004

built quite a long time ago. i must note that no one but the admins and i have local access to the linux router though. i reckon it's an insecure service or leaked password that lead to the break-in.

or an insecure, out of date, kernel.

Originally posted by 2uantuM
or an insecure, out of date, kernel.

Most kernel exploits are not remote, they would need local access first as he stated an insecure service / leaked password.

regardless, it is possible that the exploit would not have worked if kernel was properly updated.

i reckon it's an insecure service or leaked password that lead to the break-in.



You need a way into the server first. If the services were up2date and the password was not leaked would there have been the chance to exploit the kernel? No.

unfortunately, the admins chose to install debian sarge, which made it a little difficult to apt-get upgrade, since i didn't want to break the system.

this is an installation with horrible practices. just a quick example, this 'Shoebox BBS' was found running as root.

inetd.conf
bbs stream tcp nowait root /usr/sbin/tcpd /home/oneoftheadmins/bbs/bbs user

admittedly, this admin has a pretty dodgy .bash_history , with some IRC, vulnerability scans, in it.