05-09-2008, 06:43 AM | #1 |
Junior Member
Join Date: May 2008
Posts: 3
|
Rootkited
Anyone else seen this?
Hello, I just rebuilt my server and installed the ispmanager pro version and in less then a week I a rootkit was installed on a fully updated system. In my three years with pleask this has never happed. Also to make it worse it appears that there must be a bug in the way resellers are handled as those are the way they got in. Incase your wondering here are the files I have found to clean 976 mv cat /usr/lib/libsh/.sniff/shp /tmp 977 mv /usr/lib/libsh/.sniff/shp /tmp 985 mv /usr/include/hosts.h /tmp 989 mv /usr/include/log.h 990 mv /usr/include/log.h /tmp 991 mv /usr/include/proc.h 992 mv /usr/include/proc.h /tmp 1022 mv ttyload /tmp 1025 mv ttyload /tmp/hacked/ 1027 mv ttymon /tmp/hacked/ 1042 mv /usr/lib/libsh/ /tmp/hacked/ 1045 mv /usr/lib/libsh/ /tmp/hacked/ 1050 mv /lib/libsh.so /tmp/hacked/ 1053 mv /lib/libsh.so /tmp/hacked/ 1076 mv /lib/libproc.a /tmp/hacked/ 1084 mv /tmp/log.h /tmp/proc.h /tmp/shp /tmp/hacked/ 1086 mv /usr/include/file.h /tmp/hacked/ 1089 mv /lib/lidps1.so /tmp/hacked/ 1105 mv /tmp/hosts.h /tmp/hacked/ [root@bella hacked]# ls -lah /tmp/hacked/ total 504K drwxr-xr-x 4 root root 4.0K May 8 20:23 . drwxrwxrwt 7 root root 68K May 8 20:23 .. -rwxr-xr-x 1 jassinpain mgrreseller 56 Mar 21 2007 file.h -rwxr-xr-x 1 jassinpain mgrreseller 86 Mar 21 2007 hosts.h -rwxr-xr-x 1 fhs mgradmin 34K Sep 8 2000 libproc.a drwxr-xr-x 6 root root 4.0K May 8 17:32 libsh drwxr-xr-x 2 root root 4.0K May 8 17:32 libsh.so -rwxr-xr-x 1 jassinpain mgrreseller 71 Mar 21 2007 lidps1.so -rwxr-xr-x 1 jassinpain mgrreseller 28 Mar 21 2007 log.h -rwxr-xr-x 1 jassinpain mgrreseller 89 Mar 21 2007 proc.h ---------- 1 jassinpain mgrreseller 7.5K Mar 21 2007 shp -rwxr-xr-x 1 fhs mgradmin 208K Mar 21 2007 ttyload -rwxrwxr-x 1 jassinpain mgrreseller 92K Mar 21 2007 ttymon [root@bella hacked]# [root@bella ~]# grep .5. rpmverify.txt |egrep 'bin|sbin' S.5..UG. /usr/bin/pstree S.5..UG. /usr/bin/find S.5..UG. /usr/sbin/lsof by this time I had already cleaned up find, ls, ifconfig and had to chattr them all [root@bella RPMS]# ls -lah total 4.7M drwxr-xr-x 2 root root 4.0K May 8 19:49 . drwxr-x--- 7 root root 4.0K May 8 19:48 .. -rw-r--r-- 1 root root 3.7M Apr 3 2007 coreutils-5.97-12.1.el5.i386.rpm -rw-r--r-- 1 root root 295K Apr 3 2007 findutils-4.2.27-4.1.i386.rpm -rw-r--r-- 1 root root 359K Apr 3 2007 net-tools-1.60-73.i386.rpm -rw-r--r-- 1 root root 207K Apr 3 2007 procps-3.2.7-8.1.el5.i386.rpm -rw-r--r-- 1 root root 62K Apr 3 2007 psmisc-22.2-5.i386.rpm -rw-r--r-- 1 root root 73K Nov 20 11:16 sysklogd-1.4.1-40.el5.i386.rpm [root@bella RPMS]# jassinpain is online now Add to jassinpain's Reputation Report Post Edit/Delete Message Last edited by jassinpain; 05-09-2008 at 06:51 AM. |
05-09-2008, 06:49 AM | #2 |
Junior Member
Join Date: May 2008
Posts: 3
|
I should also note the passwords where randomly generated and never used as I am still testing the box from the root level. The jasspain account did not even get pass setting up a domain, it was still on the soon to come page.
|
05-09-2008, 09:22 AM | #3 |
Junior Member
Join Date: May 2008
Posts: 3
|
found another part in the inittab
# Loading standard ttys 0:2345nce:/usr/sbin/ttyload this is part of the junk they have running. |
|
|