Hi !
I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info about (filesize, md5, modification date) these file :
/bin : ls netstat ps
/usr/bin/ dir find md5sum pstree slocate tee top
What tiped me off, I was sudoing to another user, and swas this message : "Unknown HZ value! (92) Assume 100."
Thanks
Nicolas Ross wrote:
Hi !
I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info
One of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine.
about (filesize, md5, modification date) these file :
/bin : ls netstat ps
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps
/usr/bin/ dir find md5sum pstree slocate tee top
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir -rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find -rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum -rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree
0df0aafb355df40b1137355dd354f172 /usr/bin/dir 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate 4ed536310a845f274f6a1611773789d8 /usr/bin/tee 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top
<snip>
Hope this helps.
mark
On Feb 7, 2011, at 10:14 AM, m.roth@5-cent.us wrote:
Nicolas Ross wrote:
Hi !
I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info
One of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine.
about (filesize, md5, modification date) these file :
/bin : ls netstat ps
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps
/usr/bin/ dir find md5sum pstree slocate tee top
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /usr/bin/dir -rwxr-xr-x 1 root root 51028 Jan 11 2006 /usr/bin/find -rwxr-xr-x 1 root root 29184 Jun 12 2007 /usr/bin/md5sum -rwxr-xr-x 1 root root 14048 Apr 28 2006 /usr/bin/pstree
0df0aafb355df40b1137355dd354f172 /usr/bin/dir 2c5f4e789da1ad8d19ce5c68ecf8261d /usr/bin/find 03174f884e7fc5fbc215780819679f6e /usr/bin/md5sum 224f527255b2c8deb44f692eaadc873d /usr/bin/pstree 0cee754c3981ba5f527bedc9a8cbea2a /usr/bin/slocate 4ed536310a845f274f6a1611773789d8 /usr/bin/tee 6b42bf37296861c657fcf6b8dba8f675 /usr/bin/top
<snip>
Hope this helps.
mark
Our internal, not internet connected fully patch Cent 3 box exactly matches what Mark posted.
[dkrause@rigil bin]$ ls -lat ls netstat ps -rwxr-xr-x 1 root root 67700 Jun 12 2007 ls -rwxr-xr-x 1 root root 83800 May 22 2007 netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 ps
e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps
[dkrause@rigil bin]$ ls -la dir find md5sum pstree slocate tee top -rwxr-xr-x 1 root root 67700 Jun 12 2007 dir -rwxr-xr-x 1 root root 51028 Jan 11 2006 find -rwxr-xr-x 1 root root 29184 Jun 12 2007 md5sum -rwxr-xr-x 1 root root 14048 Apr 28 2006 pstree -rwxr-sr-x 1 root slocate 32480 Sep 28 2005 slocate -rwxr-xr-x 1 root root 12220 Jun 12 2007 tee -r-xr-xr-x 1 root root 48052 Apr 19 2006 top
0df0aafb355df40b1137355dd354f172 dir 2c5f4e789da1ad8d19ce5c68ecf8261d find 03174f884e7fc5fbc215780819679f6e md5sum 224f527255b2c8deb44f692eaadc873d pstree 0cee754c3981ba5f527bedc9a8cbea2a slocate 4ed536310a845f274f6a1611773789d8 tee 6b42bf37296861c657fcf6b8dba8f675 top
Good luck! -- Don Krause
I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info
One of our investigators has collaborators around the world, on old machines, so we have this: 2.4.21-63.ELsmp #1 SMP Tue Nov 3 18:48:49 EST 2009 i686 athlon i386 GNU/Linux Note they may be different on your machine.
about (filesize, md5, modification date) these file :
/bin : ls netstat ps
-rwxr-xr-x 1 root root 67700 Jun 12 2007 /bin/ls -rwxr-xr-x 1 root root 83800 May 22 2007 /bin/netstat -r-xr-xr-x 1 root root 64076 Apr 19 2006 /bin/ps
e102f6c3dde4043908ed001e1587b1d2 /bin/ls bdfc76a24f59cc6cd8a70f771cc5cda4 /bin/netstat fc3369b3564e00f877387a13bf3f467a /bin/ps
Dammm...
mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value...
Dammm...
2011/2/7 Nicolas Ross rossnick-lists@cybercat.ca
mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value...
not all md5sum programs are the same, check several programs before deciding what's next.
On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote:
mds5um has been tempered with also... It return those expected values, but a md5sum programm I took elsewhere was returning another value...
Once you've been hacked, you can't trust the core utilities (ls / md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities use, nor can you reliably remove the kernel modules used to interfere with normal operations, since the interfaces within the kernel may themselves be cloaking the hackinstall kernel modules!
The only way to deal with this scenario and get anything resembling a correct answer is to mount the drive in userspace, noexec on another, trusted system. If downtime is a concern you *might* be able to use dd and copy the disk partition to another drive in the middle of the night and then check out the drive offline - that would probably work fine.
But realize that until you do this, you can have no trust whatsoever in that computer, change passwords, delete/change private SSH keys, etc. and anything you do from here on out will be forensics to:
A) Determine just how far they got in (did they get access to other systems?)
B) Figure out how to best transfer services to a new, updated system and update security so that the bad guys can't just walk back in with prior knowledge.
BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An unpatched server is a pretty much a guaranteed hack incident waiting to happen.
Good luck!
On 02/07/11 10:06 AM, Nicolas Ross wrote:
So, does anyone hav a centos 3.9 install arround that can send me the info about (filesize, md5, modification date) these file :
is that a 3.9 install that never got any updates afterwards? is that x86_64 or i686? etc etc.
that data is pretty worthless out of context.
John R Pierce wrote:
On 02/07/11 10:06 AM, Nicolas Ross wrote:
So, does anyone hav a centos 3.9 install arround that can send me the info about (filesize, md5, modification date) these file :
is that a 3.9 install that never got any updates afterwards? is that x86_64 or i686? etc etc.
that data is pretty worthless out of context.
Good question. The box I got my data from had all updates applied until it went out of support late last fall.
mark
On 02/07/11 10:06 AM, Nicolas Ross wrote:
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
oh. get and run rkhunter. preferably do it on read only media via another system.
Ok, good tool, and good call...
I've took the chance to run it from that machine. So, it found some suspicious files and some parts of some rootkits, SHV5 namely.
So, that machine was scheduled to be replaced soon, so It'll be sooner than later...
In the mean time, I'll check what I can salvage from the 3.9 repos.
Thanks,
Niccolas, I agree with John. rkhunter is your friend! I set up all my servers to run nightly with weekly updates. Peace, Allan
John R Pierce wrote:
On 02/07/11 10:06 AM, Nicolas Ross wrote:
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
oh. get and run rkhunter. preferably do it on read only media via another system.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Feb 07, 2011 at 01:06:56PM -0500, Nicolas Ross wrote:
Hi !
I think one of my machine got hacked, but I can figure out from where...
I found some suspicious file in /bin and /usr/bin directories that are owned by user id 122, where this machine doesn't a userid 122.
So, does anyone hav a centos 3.9 install arround that can send me the info about (filesize, md5, modification date) these file :
3.9 is still available on all the mirrors, you can rpm2cpio and compare (watch out for prelinked files) or try the rpm --verify flag (if the rpm database is not modified).
Tru
-
allan -
Benjamin Smith -
cornel panceac -
Don Krause -
John R Pierce -
JohnS -
m.roth@5-cent.us -
Nicolas Ross -
Tru Huynh