security (continued)

Brad Bartram bradbartram at ccsisp.com
Mon Feb 2 15:03:00 EST 2004


I'd be interested in the c code.  Also, what is your netstat -planet output?

brad

On Monday 02 February 2004 02:44 pm, cliff at cliffmeyers.com wrote:
> Everyone,
>
>
> Well, I found a few more things this afternoon.  I made a backup up the
> /etc, /tmp, /var and /root dirs before formatting the drive this past
> Friday night.  I found this in my /var/logs/messages.1 file:
>
> Jan 21 16:42:43 titanium modprobe: modprobe: Can't locate module ppp0
> Jan 21 16:42:43 titanium kernel: k uses obsolete (PF_INET,SOCK_PACKET)
> Jan 21 16:42:44 titanium kernel: eth0: Promiscuous mode enabled.
> Jan 21 16:42:44 titanium kernel: device eth0 entered promiscuous mode
> Jan 21 16:47:52 titanium modprobe: modprobe: Can't locate module ppp0
>
> This was the day before the night I noticed problems with our server - the
> cronjobs had frozen up, there were loads of bizarre processes running and
> when I tried to reboot the server I got a "segmentation fault" error on the
> first couple lines of bootup.  I upgraded to RedHat 9 and that allowed the
> server t o boot fine, but after the server was defaced this past Thursday
> night I wiped te hard drive clean.  The binary "k" in fact is the name of
> the program that showed up that night and ALSO this morning on my server's
> process list.  And I see they're turned my eth0 to promiscious mode so it
> can probably try and capture traffic on my network.
>
> It looks like this "k" program is a backdoor that the hacker uses to do
> nasty things to my system, but in and of its doesn't do anything nasty.  I
> need to check my current /var/log/messages file to look for these same
> error messages.  I also need to search my server to see if I can find the
> file itself again.
>
> I also was looking at the backup I made this past Friday and found two
> files in my /tmp directory, dc (binary) and dc_connectback.c.  Looks like
> it might be a different kind of backdoor used.  If anyone wants to look at
> the C code let me know and I can e-mail the file.
>
> I still plan on formatting the disk again tonight, running up2date and
> doing a re-install with the latest version of PHP.  Once again, I compile
> the web-related stuff from source so I always use the latest tarballs when
> doing this.  Then I need to slowly migrate my PHP code site-by-site and
> have my other programmer examine for backdoors or bad files.  If the server
> is compromised yet again after this, it's probably safe to say it's a
> problem with our PHP code, huh?
>
> Oh, thanks for the tip about the internal problem.  I have one other
> programmer on my staff and no one else in the office really knows what
> Linux is!  So I think I'm good there, but still a good suggestion.
>
> Once again, any other ideas and comments are more than welcome.  I may very
> well take some of you up on your offers to come in and look at my server
> and help me harden it.  Thanks again, brain trust!
>
>
> -Cliff




More information about the nflug mailing list