[CentOS] Uselib24/bindz - owned!

Thu May 4 09:31:17 UTC 2006
Kai Schaetzl <maillists at conactive.com>

Nick wrote on Thu, 04 May 2006 14:43:20 +1000:

> Bindz.... hmm. telnetting to the port gave me a root shell

A shell, not necessarily a root shell. It's running with apache user 
rights it seems.

> -rwxrwxr-x    1 apache   apache      19429 Jan 10 16:20 bindz 
> -rw-r--r--    1 apache   apache       2100 Jan  8 21:32 dc.txt 
> -rwxrwxr-x    1 apache   apache     479843 Aug  3  2005 uselib24

You should suspect some php app or at least a web-based intrusion.
Break-ins this way usually don't get the intruder a root shell. And what 
they are up for most often is distribution space for "warez/videoz". They 
don't "waste time" with owning the machine in a better way. 
Stop that stuff from running, firewall it more tightly and then look 
around. I haven't seen a hack on one of my clients computers for two years 
now, so I'm not familiar with what gets used today. Google for those apps 
you found and you may find quite a few information what they replace. If 
it's not in those directories, anyway, including another instance of the 
exploit that helped to get in - for re-use on the next machine ... Try to 
find out when the intrusion happened, there may be logs for "bindz" or 
other apps or the creation data of some file may reveal this. Then check 
your apache logs around that date.

If it's a good rootkit it's hard to get rid of it. Well, you said you want 
to nuke it, anyway, good :-) If it's not a rootkit then you might think 
about getting rid of the stuff because only some basic apps got replaced. 
f.i. ls, ps, lsof, netstat and such, what you would use to look around and 
identify files/processes that shouldn't be there. Since your netstat shows 
the intruder it's obviously not been replaced or not working correctly and 
nothing may have happened yet after the break-in. If you have a second 
machine with same OS you can start by comparing (size, date, crc) and then 
replacing (even if they compare ok) (if you replace first, you don't have 
a chance to find what got replaced) some of these apps. Then compare 
again. 

Kai