jassinpain
05-09-2008, 06:43 AM
Anyone else seen this?
Hello,
I just rebuilt my server and installed the ispmanager pro version and in less then a week I a rootkit was installed on a fully updated system. In
my three years with pleask this has never happed. Also to make it
worse it appears that there must be a bug in the way resellers are
handled as those are the way they got in. Incase your wondering here
are the files I have found to clean
976 mv cat /usr/lib/libsh/.sniff/shp /tmp
977 mv /usr/lib/libsh/.sniff/shp /tmp
985 mv /usr/include/hosts.h /tmp
989 mv /usr/include/log.h
990 mv /usr/include/log.h /tmp
991 mv /usr/include/proc.h
992 mv /usr/include/proc.h /tmp
1022 mv ttyload /tmp
1025 mv ttyload /tmp/hacked/
1027 mv ttymon /tmp/hacked/
1042 mv /usr/lib/libsh/ /tmp/hacked/
1045 mv /usr/lib/libsh/ /tmp/hacked/
1050 mv /lib/libsh.so /tmp/hacked/
1053 mv /lib/libsh.so /tmp/hacked/
1076 mv /lib/libproc.a /tmp/hacked/
1084 mv /tmp/log.h /tmp/proc.h /tmp/shp /tmp/hacked/
1086 mv /usr/include/file.h /tmp/hacked/
1089 mv /lib/lidps1.so /tmp/hacked/
1105 mv /tmp/hosts.h /tmp/hacked/
[root@bella hacked]# ls -lah /tmp/hacked/
total 504K
drwxr-xr-x 4 root root 4.0K May 8 20:23 .
drwxrwxrwt 7 root root 68K May 8 20:23 ..
-rwxr-xr-x 1 jassinpain mgrreseller 56 Mar 21 2007 file.h
-rwxr-xr-x 1 jassinpain mgrreseller 86 Mar 21 2007 hosts.h
-rwxr-xr-x 1 fhs mgradmin 34K Sep 8 2000 libproc.a
drwxr-xr-x 6 root root 4.0K May 8 17:32 libsh
drwxr-xr-x 2 root root 4.0K May 8 17:32 libsh.so
-rwxr-xr-x 1 jassinpain mgrreseller 71 Mar 21 2007 lidps1.so
-rwxr-xr-x 1 jassinpain mgrreseller 28 Mar 21 2007 log.h
-rwxr-xr-x 1 jassinpain mgrreseller 89 Mar 21 2007 proc.h
---------- 1 jassinpain mgrreseller 7.5K Mar 21 2007 shp
-rwxr-xr-x 1 fhs mgradmin 208K Mar 21 2007 ttyload
-rwxrwxr-x 1 jassinpain mgrreseller 92K Mar 21 2007 ttymon
[root@bella hacked]#
[root@bella ~]# grep .5. rpmverify.txt |egrep 'bin|sbin'
S.5..UG. /usr/bin/pstree
S.5..UG. /usr/bin/find
S.5..UG. /usr/sbin/lsof
by this time I had already cleaned up find, ls, ifconfig and had to chattr them all
[root@bella RPMS]# ls -lah
total 4.7M
drwxr-xr-x 2 root root 4.0K May 8 19:49 .
drwxr-x--- 7 root root 4.0K May 8 19:48 ..
-rw-r--r-- 1 root root 3.7M Apr 3 2007 coreutils-5.97-12.1.el5.i386.rpm
-rw-r--r-- 1 root root 295K Apr 3 2007 findutils-4.2.27-4.1.i386.rpm
-rw-r--r-- 1 root root 359K Apr 3 2007 net-tools-1.60-73.i386.rpm
-rw-r--r-- 1 root root 207K Apr 3 2007 procps-3.2.7-8.1.el5.i386.rpm
-rw-r--r-- 1 root root 62K Apr 3 2007 psmisc-22.2-5.i386.rpm
-rw-r--r-- 1 root root 73K Nov 20 11:16 sysklogd-1.4.1-40.el5.i386.rpm
[root@bella RPMS]#
jassinpain is online now Add to jassinpain's Reputation Report Post Edit/Delete Message
Hello,
I just rebuilt my server and installed the ispmanager pro version and in less then a week I a rootkit was installed on a fully updated system. In
my three years with pleask this has never happed. Also to make it
worse it appears that there must be a bug in the way resellers are
handled as those are the way they got in. Incase your wondering here
are the files I have found to clean
976 mv cat /usr/lib/libsh/.sniff/shp /tmp
977 mv /usr/lib/libsh/.sniff/shp /tmp
985 mv /usr/include/hosts.h /tmp
989 mv /usr/include/log.h
990 mv /usr/include/log.h /tmp
991 mv /usr/include/proc.h
992 mv /usr/include/proc.h /tmp
1022 mv ttyload /tmp
1025 mv ttyload /tmp/hacked/
1027 mv ttymon /tmp/hacked/
1042 mv /usr/lib/libsh/ /tmp/hacked/
1045 mv /usr/lib/libsh/ /tmp/hacked/
1050 mv /lib/libsh.so /tmp/hacked/
1053 mv /lib/libsh.so /tmp/hacked/
1076 mv /lib/libproc.a /tmp/hacked/
1084 mv /tmp/log.h /tmp/proc.h /tmp/shp /tmp/hacked/
1086 mv /usr/include/file.h /tmp/hacked/
1089 mv /lib/lidps1.so /tmp/hacked/
1105 mv /tmp/hosts.h /tmp/hacked/
[root@bella hacked]# ls -lah /tmp/hacked/
total 504K
drwxr-xr-x 4 root root 4.0K May 8 20:23 .
drwxrwxrwt 7 root root 68K May 8 20:23 ..
-rwxr-xr-x 1 jassinpain mgrreseller 56 Mar 21 2007 file.h
-rwxr-xr-x 1 jassinpain mgrreseller 86 Mar 21 2007 hosts.h
-rwxr-xr-x 1 fhs mgradmin 34K Sep 8 2000 libproc.a
drwxr-xr-x 6 root root 4.0K May 8 17:32 libsh
drwxr-xr-x 2 root root 4.0K May 8 17:32 libsh.so
-rwxr-xr-x 1 jassinpain mgrreseller 71 Mar 21 2007 lidps1.so
-rwxr-xr-x 1 jassinpain mgrreseller 28 Mar 21 2007 log.h
-rwxr-xr-x 1 jassinpain mgrreseller 89 Mar 21 2007 proc.h
---------- 1 jassinpain mgrreseller 7.5K Mar 21 2007 shp
-rwxr-xr-x 1 fhs mgradmin 208K Mar 21 2007 ttyload
-rwxrwxr-x 1 jassinpain mgrreseller 92K Mar 21 2007 ttymon
[root@bella hacked]#
[root@bella ~]# grep .5. rpmverify.txt |egrep 'bin|sbin'
S.5..UG. /usr/bin/pstree
S.5..UG. /usr/bin/find
S.5..UG. /usr/sbin/lsof
by this time I had already cleaned up find, ls, ifconfig and had to chattr them all
[root@bella RPMS]# ls -lah
total 4.7M
drwxr-xr-x 2 root root 4.0K May 8 19:49 .
drwxr-x--- 7 root root 4.0K May 8 19:48 ..
-rw-r--r-- 1 root root 3.7M Apr 3 2007 coreutils-5.97-12.1.el5.i386.rpm
-rw-r--r-- 1 root root 295K Apr 3 2007 findutils-4.2.27-4.1.i386.rpm
-rw-r--r-- 1 root root 359K Apr 3 2007 net-tools-1.60-73.i386.rpm
-rw-r--r-- 1 root root 207K Apr 3 2007 procps-3.2.7-8.1.el5.i386.rpm
-rw-r--r-- 1 root root 62K Apr 3 2007 psmisc-22.2-5.i386.rpm
-rw-r--r-- 1 root root 73K Nov 20 11:16 sysklogd-1.4.1-40.el5.i386.rpm
[root@bella RPMS]#
jassinpain is online now Add to jassinpain's Reputation Report Post Edit/Delete Message