security (continued)

cliff at cliff at
Mon Feb 2 14:44:41 EST 2004


Well, I found a few more things this afternoon.  I made a backup up the /etc,
/tmp, /var and /root dirs before formatting the drive this past Friday night.  I
found this in my /var/logs/messages.1 file:

Jan 21 16:42:43 titanium modprobe: modprobe: Can't locate module ppp0
Jan 21 16:42:43 titanium kernel: k uses obsolete (PF_INET,SOCK_PACKET)
Jan 21 16:42:44 titanium kernel: eth0: Promiscuous mode enabled.
Jan 21 16:42:44 titanium kernel: device eth0 entered promiscuous mode
Jan 21 16:47:52 titanium modprobe: modprobe: Can't locate module ppp0

This was the day before the night I noticed problems with our server - the
cronjobs had frozen up, there were loads of bizarre processes running and when I
tried to reboot the server I got a "segmentation fault" error on the first couple
lines of bootup.  I upgraded to RedHat 9 and that allowed the server t o boot
fine, but after the server was defaced this past Thursday night I wiped te hard
drive clean.  The binary "k" in fact is the name of the program that showed up
that night and ALSO this morning on my server's process list.  And I see they're
turned my eth0 to promiscious mode so it can probably try and capture traffic on
my network.

It looks like this "k" program is a backdoor that the hacker uses to do nasty
things to my system, but in and of its doesn't do anything nasty.  I need to
check my current /var/log/messages file to look for these same error messages.  I
also need to search my server to see if I can find the file itself again.

I also was looking at the backup I made this past Friday and found two files in
my /tmp directory, dc (binary) and dc_connectback.c.  Looks like it might be a
different kind of backdoor used.  If anyone wants to look at the C code let me
know and I can e-mail the file.

I still plan on formatting the disk again tonight, running up2date and doing a
re-install with the latest version of PHP.  Once again, I compile the web-related
stuff from source so I always use the latest tarballs when doing this.  Then I
need to slowly migrate my PHP code site-by-site and have my other programmer
examine for backdoors or bad files.  If the server is compromised yet again after
this, it's probably safe to say it's a problem with our PHP code, huh?

Oh, thanks for the tip about the internal problem.  I have one other programmer
on my staff and no one else in the office really knows what Linux is!  So I think
I'm good there, but still a good suggestion.

Once again, any other ideas and comments are more than welcome.  I may very well
take some of you up on your offers to come in and look at my server and help me
harden it.  Thanks again, brain trust!


More information about the nflug mailing list