ISPsystem.com Forums

ISPsystem.com Forums (http://forum.ispsystem.com//index.php)
-   Troubleshooting (http://forum.ispsystem.com//forumdisplay.php?f=11)
-   -   Rootkited (http://forum.ispsystem.com//showthread.php?t=226)

jassinpain 05-09-2008 06:43 AM
Rootkited
 
Anyone else seen this?

Hello,

I just rebuilt my server and installed the ispmanager pro version and in less then a week I a rootkit was installed on a fully updated system. In
my three years with pleask this has never happed. Also to make it
worse it appears that there must be a bug in the way resellers are
handled as those are the way they got in. Incase your wondering here
are the files I have found to clean

976 mv cat /usr/lib/libsh/.sniff/shp /tmp
977 mv /usr/lib/libsh/.sniff/shp /tmp
985 mv /usr/include/hosts.h /tmp
989 mv /usr/include/log.h
990 mv /usr/include/log.h /tmp
991 mv /usr/include/proc.h
992 mv /usr/include/proc.h /tmp
1022 mv ttyload /tmp
1025 mv ttyload /tmp/hacked/
1027 mv ttymon /tmp/hacked/
1042 mv /usr/lib/libsh/ /tmp/hacked/
1045 mv /usr/lib/libsh/ /tmp/hacked/
1050 mv /lib/libsh.so /tmp/hacked/
1053 mv /lib/libsh.so /tmp/hacked/
1076 mv /lib/libproc.a /tmp/hacked/
1084 mv /tmp/log.h /tmp/proc.h /tmp/shp /tmp/hacked/
1086 mv /usr/include/file.h /tmp/hacked/
1089 mv /lib/lidps1.so /tmp/hacked/
1105 mv /tmp/hosts.h /tmp/hacked/

[root@bella hacked]# ls -lah /tmp/hacked/
total 504K
drwxr-xr-x 4 root root 4.0K May 8 20:23 .
drwxrwxrwt 7 root root 68K May 8 20:23 ..
-rwxr-xr-x 1 jassinpain mgrreseller 56 Mar 21 2007 file.h
-rwxr-xr-x 1 jassinpain mgrreseller 86 Mar 21 2007 hosts.h
-rwxr-xr-x 1 fhs mgradmin 34K Sep 8 2000 libproc.a
drwxr-xr-x 6 root root 4.0K May 8 17:32 libsh
drwxr-xr-x 2 root root 4.0K May 8 17:32 libsh.so
-rwxr-xr-x 1 jassinpain mgrreseller 71 Mar 21 2007 lidps1.so
-rwxr-xr-x 1 jassinpain mgrreseller 28 Mar 21 2007 log.h
-rwxr-xr-x 1 jassinpain mgrreseller 89 Mar 21 2007 proc.h
---------- 1 jassinpain mgrreseller 7.5K Mar 21 2007 shp
-rwxr-xr-x 1 fhs mgradmin 208K Mar 21 2007 ttyload
-rwxrwxr-x 1 jassinpain mgrreseller 92K Mar 21 2007 ttymon
[root@bella hacked]#


[root@bella ~]# grep .5. rpmverify.txt |egrep 'bin|sbin'
S.5..UG. /usr/bin/pstree
S.5..UG. /usr/bin/find
S.5..UG. /usr/sbin/lsof

by this time I had already cleaned up find, ls, ifconfig and had to chattr them all

[root@bella RPMS]# ls -lah
total 4.7M
drwxr-xr-x 2 root root 4.0K May 8 19:49 .
drwxr-x--- 7 root root 4.0K May 8 19:48 ..
-rw-r--r-- 1 root root 3.7M Apr 3 2007 coreutils-5.97-12.1.el5.i386.rpm
-rw-r--r-- 1 root root 295K Apr 3 2007 findutils-4.2.27-4.1.i386.rpm
-rw-r--r-- 1 root root 359K Apr 3 2007 net-tools-1.60-73.i386.rpm
-rw-r--r-- 1 root root 207K Apr 3 2007 procps-3.2.7-8.1.el5.i386.rpm
-rw-r--r-- 1 root root 62K Apr 3 2007 psmisc-22.2-5.i386.rpm
-rw-r--r-- 1 root root 73K Nov 20 11:16 sysklogd-1.4.1-40.el5.i386.rpm
[root@bella RPMS]#
jassinpain is online now Add to jassinpain's Reputation Report Post Edit/Delete Message

jassinpain 05-09-2008 06:49 AM
I should also note the passwords where randomly generated and never used as I am still testing the box from the root level. The jasspain account did not even get pass setting up a domain, it was still on the soon to come page.

jassinpain 05-09-2008 09:22 AM
found another part in the inittab
# Loading standard ttys
0:2345:once:/usr/sbin/ttyload

this is part of the junk they have running.


All times are GMT +2. The time now is 02:22 PM.

Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2024, vBulletin Solutions, Inc.