July 12th, 2002, 02:25 AM
I have spent a few days looking around AntiOnline and find it has some really great resources. What brings be here is the plight of one of my servers. Some craftly little hacker managed to get root and then installed a loadable kernel module that allowed him to hide processes from the system. He hid two of them one called updatefs (not sure what that one did) and the other was a slave for a distributed denial of service attack.
I have since recompiled the kernel to disable LKMs and what I found was that he had all of his binaries in a hidden directory named /usr/lib/ypx and updatefs was a hidden file in /usr/sbin/. I have burned the system down and rebuilt it anew but I am wondering two things:
1) If anyone has had similar problems and how they have delt with it.
2) What can you do to protect yourself from this type of things? I am leaning towards never using LKMs again.
July 12th, 2002, 05:28 AM
Install something like tripwire. It should monitor your files for you. Keep your system patched to prevent issues with buggy coding. Current information on issues w/ software running on your servers is availbe at not only the vendors sites, but also at places like http://securityfocus.com and http://xatrix.org Both sites are great sources of information that should provide you the information you need to help keep your system patched.
I don't know what *nix system you are running, but regardless of the variety, setting up firewalling services (ie IPtables or IPChains for linux, IPFW or IPFilter on the BSDs and so foth) at the individual server may be of some use. Even if you have a firewall facing the net, you really can't be too careful.
Hope this is of at least some help.
Regards and Good luck in the future.
\"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"
July 12th, 2002, 01:02 PM
Thanks for the input. We actually did have tripwire running but it didn't show us anything. I also suspect that the updatefs binary might have had something to do with that as well. We are running RedHat on that system.
July 12th, 2002, 02:50 PM
Updatefs was probably a shim between the os and file system that interferred with the OS (and hence tripwire)'s ability to detect changes in file sizes, modification times, and sizes. I would suppose that something like this would be used to disguise that you have updated system binaries and the like...
Have you tried looking around through exisiting rootkits for something like this ? There is probably ample documentation with it to explain it to the kidz...
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
July 12th, 2002, 02:57 PM
that is what I figured. I spent some time trying to identify the rootkit used. I looked at Knark and adore but they didnt seem to match. I do not think I actually found all of the files the hacker had on there but at the time I just wanted to fix it and move on. That is always my reaction fix it and move on. My boss on the other hand likes to try and track hackers down. He tracked one all the way to Isreal. To me that is just a waste of time.
This type of hack job really worries me becasue it is so hard to detect. I would have never thought that someone would hack the kernel. It add a whole new dimention to defending a machine against hackers.