QuepasaSHV4 « Pad « netfrag.org

A - search for rootkits
B - more detailed investigation
C - more trails
D - remove it!
E - refresh system
F - Todo
G - Infos

Start with these tools:

A - search for rootkits

chkrootkit:
Checking `ifconfig'... INFECTED
Checking `pstree'... INFECTED
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
Checking `sniffer'... eth0: PF_PACKET(/usr/sbin/iptotal)

rkhunter:
--------------------------------------------------------------------------------
Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
binaries or updated packages (which give other hashes). Be sure your hashes are
fully updated (rkhunter --update). If you're in doubt about these hashes, contact
the author (fill in the contact form).
--------------------------------------------------------------------------------

Rootkit 'SHV4'... [ Warning! ]

--------------------------------------------------------------------------------
Found parts of this rootkit/trojan by checking the default files and directories
Please inspect the available files, by running this check with the parameter
--createlogfile and check the log file (current file: /var/log/rkhunter.log).
--------------------------------------------------------------------------------

* Application version scan
- GnuPG 1.2.4 [ Vulnerable ]
- OpenSSL 0.9.7a [ Vulnerable ]
- PHP 4.3.9-1 [ Unknown ]
- PHP 4.3.9-1 [ Unknown ]
- Procmail MTA 3.22 [ OK ]
- OpenSSH 3.8.1p1 [ OK ]

B - more detailed investigation


#> lsof -i
3         12481   root    3u  IPv4 139597       TCP *:2345 (LISTEN)

# telnet localhost 2345
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-2.0.13

#> cat /proc/13066/cmdline
ttyload

# which ttyload
/sbin/ttyload

# ls -l /sbin/ttyload
-rwxr-xr-x   1 122      114        212747 Jul 16 13:37 /sbin/ttyload

# kill 12481
# rm /sbin/ttyload
rm: remove write-protected regular file `/sbin/ttyload'? y
rm: cannot remove `/sbin/ttyload': Operation not permitted

# last
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 19:05   still logged in
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 19:04          (00:38)
bd       pts/5        pd950ea5a.dip.t- Tue Nov 30 17:52 - down   (00:46)
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 17:51 - down   (00:47)
bd       pts/4        pd950ea5a.dip.t- Tue Nov 30 16:52 - down   (01:46)
natraj   pts/2        pd9eb7a77.dip0.t Tue Nov 30 14:38 - 18:00  (03:21)
bd       pts/1        pd950ea5a.dip.t- Tue Nov 30 14:38 - down   (04:00)
bd       pts/0        pd950ea5a.dip.t- Tue Nov 30 14:32 - 17:49  (03:17)
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 14:31          (04:07)
reboot   system boot  2.4.21-pre5-1um  Tue Nov 30 14:24          (04:14)
joko     pts/2        pd950ea5a.dip.t- Tue Nov 30 14:02 - crash  (00:21)
natraj   pts/0        pd9eb7a77.dip0.t Tue Nov 30 11:28 - crash  (02:56)
natraj   pts/0        pd9eb6304.dip0.t Mon Nov 29 14:51 - 17:57  (03:06)
bd       pts/1        p54802510.dip.t- Mon Nov 29 09:59 - 13:49  (03:50)
bd       pts/0        p54802510.dip.t- Mon Nov 29 08:16 - 10:25  (02:09)
reboot   system boot  2.4.21-pre5-1um  Mon Nov 29 08:10         (1+10:28)

wtmp begins Sun Nov 28 06:37:56 2004

C - more trails

# nano /root/.bash_history
export TERM=vt100
vi /etc/passwd
passswd bin
passwd bin

# find / -uid 122
/usr/bin/md5sum
/usr/bin/find
/usr/bin/top
/usr/bin/pstree
/usr/sbin/lsof
/bin/ls
/bin/ps
/bin/netstat
find: /proc/25248/fd/4: No such file or directory
/sbin/ifconfig

# cat /proc/25248/cmdline


xukay:/home/uml/quepasa/rootfs/mnt# find . -uid 122
./usr/bin/md5sum
./usr/bin/find
./usr/bin/top
./usr/bin/pstree
./usr/lib/libsh/.bashrc
./usr/lib/libsh/.sniff/shsniff
./usr/lib/libsh/.sniff/shp
./usr/lib/libsh/shsb
./usr/lib/libsh/hide
./usr/sbin/lsof
./bin/ls
./bin/ps
./bin/netstat
./lib/libsh.so/shhk
./lib/libsh.so/shhk.pub
./lib/libsh.so/shrs
./sbin/ifconfig
./sbin/ttyload
./sbin/ttymon


# find / -gid 114
/usr/bin/du
/usr/bin/oldps
/usr/bin/whereis
/usr/include/flio.h
/usr/lib/libsh/.bashrc
/usr/lib/libsh/.sniff/shsniff
/usr/lib/libsh/.sniff/shp
/usr/lib/libsh/shsb
/usr/lib/libsh/hide
/lib/libsh.so/shdcf
/lib/libsh.so/shhk
/lib/libsh.so/shhk.pub
/lib/libsh.so/shrs
find: /proc/1014/fd/4: No such file or directory

D - remove it!

# chattr -sia /usr/lib/libsh
# rm -r /usr/lib/libsh/

# chattr -sia /lib/libsh.so
# rm -r /lib/libsh.so

[...]

E - refresh system

find @ http://packages.debian.org/

# apt-get install findutils 

ls:
# apt-get install fileutils coreutils
# cd /var/cache/apt/archives/
root@quepasa:/var/cache/apt/archives# dpkg -i coreutils_5.2.1-2_i386.deb

ps:
# apt-get install procps

lsof:
# apt-get install lsof

md5sum:
# apt-get install dpkg

pstree:
# apt-get install psmisc

ifconfig/netstat:
# apt-get install net-tools


# apt-get install netkit-inetd
# apt-get install textutils
# apt-get install shellutils
# apt-get install qpopper
# apt-get install vsftpd
# apt-get install rsync
# apt-get install uw-imapd-ssl
# apt-get install libssl0.9.7
# apt-get install ssh
# apt-get install cron
# apt-get install inn
# apt-get install util-linux

F - Todo

investigate reason
- breakin via ftp or pop3???
- php?
- twiki search?
deny loading of kernel modules
deny public access to cvspserver
do: #> apt-get upgrade
install filesystem integrity checker to prevent tampering the filesystem beeing unrecognized
- Samhain and Beltane
  read also: A comparison of several host/file integrity checkers (scanners)

G - Infos

lsattr/chattr: http://debianforum.de/forum/viewtopic.php?t=8935&start=15
Linux Kernel Module Disabling: http://shellcode.org/Kernel/nomodules/
Sealing the kernel: http://www-2.cs.cmu.edu/~jcl/linux/seal.html