Hacked Red Hat 7.3

***phishphreek*** · February 27th, 2004, 02:09 AM

There is a program called Tiger http://www.tigersecurity.org/

The Unix security audit and intrusion detection tool
Introduction| | Download| License/SourceCode| Contact| History

Important Note: Due to a recent compromise of the Savannah project servers it is recommended that source code or binaries downloaded from there are checked carefully, specially if not signed with the Tiger's developer's key. Note that even though there has been a security incident at Debian too, all the source code there and the packages mirror has been reviewed already (as detailed in the report after the compromise).

Introduction
Tiger is a security tool that can be use both as a security audit and intrusion detection system. It supports multiple UNIX platforms and it is free and provided under a GPL license. Unlike other tools, Tiger needs only of POSIX tools and is written entirely in shell language.

Tiger has some interesting features that merit its resurrection, including a modular design that is easy to expand, and its double edge, it can be used as an audit tool and a host intrusion detection system tool. Free Software intrusion detection is currently going many ways, from network IDS (with Snort), to the kernel (LIDS, or SNARE for Linux and Systrace for OpenBSD, for example), not mentioning file integrity checkers (many of these: aide, integrit samhain, tripwire...) and logcheckers (even more of these, check the Log Analysis pages). But few of them focus on the host-side of intrusion detection fully. Tiger complements this tools and also provides a framework in which all of them can work together. Tiger it is not a logchecker, nor it focused in integrity analysis. It does "the other stuff", it checks the system configuration and status. Read the manpage for a full description of checks implemented in Tiger. A good example of what Tiger can do is, for example, check_findelete, a module that can determine which network servers running in a system using deleted files (because libraries were patched during an upgrade but the server's services not restarted).

Free software Linux/*BSD distributions have a myriad of security tools to do local security checks: Debian's checksecurity, Mandrake's msec, OpenBSD's /etc/security, SUSE's Seccheck... but, even if they do similar checks they have suffered from fragmentation. Tiger is being developed in the hopes that it could substitute them at some point in the future. For a list of system security checks that Tiger provides that others do not you can read this (short) comparison.

Their new version has scripts that find security flaws and also search for signs of intrusion.

Unfortunately... they themselves... (well, the development site they used) has been cracked and they don't have the tool available at the moment... unless your using Debian.

Just wanted to throw in a quick FYI. Debian packages can be converted to rpm using the alien program which can be found at www.rpmfind.net
http://www.linuxdocs.org/HOWTOs/RPM-...x-HOWTO-8.html

So, you can still use this tool. It just takes a bit of manipulation to do it. But, I'd def. recommed it. It basically does everything that msmittens recommeded in one of her first posts and way more! Its automated. Then if you choose, go through manually.

I have an older version that doesn't include the chkrootkit, which searches for signs of rootkits.

I'm hoping this will be back up soon! Its a great tool and would surely help you right now... if it was available....

But, you can try out chkrootkit anyway, without tiger. (but keep it in mind for the future).

chkrootkit is a tool to locally check for signs of a rootkit. It contains a chkrootkit: shell script that checks system binaries for rootkit modification. The following tests are made: aliens, asp, bindshell, lkm, rexedcs, sniffer, wted, z2, amd, basename, biff, chfn, chsh, cron, date, du, dirname, echo, egrep, env, find, fingerd, gpm, grep, hdparm, su, ifconfig, inetd, inetdconf, identd, killall, login, ls, mail, mingetty, netstat, named, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rlogind, rshd, slogin, sendmail, sshd, syslogd, tar, tcpd, top, telnetd, timed, traceroute, and write. ifpromisc.c checks whether the interface is in promiscuous mode, chklastlog.c checks for lastlog deletions, chkwtmp.c checks for wtmp deletions, check_wtmpx.c checks for wtmpx deletions (Solaris only), and chkproc.c checks for signs of LKM trojans.

http://freshmeat.net/projects/chkrootkit/

***Relyt*** · February 27th, 2004, 02:38 AM

Doggone you folks post good stuff! Cutting and pasting into my folders for sure. We all have favorite reads and a couple of Linux pubs that have helped me immensely:

Hack Proofing Linux by Stanger, Land and Danielyan and of course the Hacking Exposed series.

Good luck

Edit: Thanks MsMittens, sure will!

***MrLinus*** · February 27th, 2004, 02:44 AM

Hrmm.. Well you might want to add some of the following to your list of pubs:

Real World Linux Security (2nd Edition) by Bob Toxen
Building Secure Servers with Linux (O'Reilly)
Linux System Security (2nd Edition)
Practical Unix & Internet Security, 3rd Edition by Gene Spafford, Simson Garfinkel and Alan Schwartz (often considered the defacto *nix Security book)

***Vorlin*** · February 27th, 2004, 02:54 AM

Also check all cron jobs running, especially as root, using crontab -l. I'd also check everything that's listed as a "home shell". Example: the user sync calls the program /bin/sync and it might actually /bin/symc, not the same thing.

If you find anything as a compiled program (ie: above symc), chmod 0000 it, move it to a secure folder, rename it, and run strings on it.

Check out folders like /tmp to see if someone dumped some source code for exploits and left it there haphazardly, giving you a definitive idea of what happened. Ten to one if you find anything, you'll find exploits from rootshell.org and the like.

**tomdaq** · February 27th, 2004, 03:17 AM

On the HIDS note; check out SamHain. It has way more features than Tripwire and it's still open source!

http://la-samhna.de/samhain/

-Tomdaq

**qod** · February 27th, 2004, 03:19 AM

the best way to aviod to get hacked is to upgrade.

***sweet_angel*** · February 27th, 2004, 10:14 AM

Hi,

You need to download chkroot to check backdoor,trojan,etc from here http://www.chkrootkit.org/
It's a good way to check your box, I have chkrootkit and rootkithunter installed on my gentoo linux:

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.keep /usr/lib/perl5/5.8.0/i686-linux/.packlist /usr/lib/nsbrowser/plugins/.keep /usr/lib/mozilla/include/ipc/.headerlist /usr/lib/mozilla/include/enigmime/.headerlist /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /lib/.keep /lib/dev-state/.keep

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
ppp0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... nothing deleted
Check rootkits
* Default files and directories
Rootkit '55808 Trojan - Variant A'... [ OK ]
Rootkit 'Apache Worm'... [ OK ]
Rootkit 'Ambient (ark) Rootkit'... [ OK ]
Rootkit 'BeastKit'... [ OK ]
Rootkit 'BOBKit'... [ OK ]
Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ]
Rootkit 'Devil RootKit'... [ OK ]
Rootkit 'Dica'... [ OK ]
Rootkit 'FreeBSD Rootkit'... [ OK ]
Rootkit '****`it Rootkit'... [ OK ]
Rootkit 'GasKit'... [ OK ]
Rootkit 'ImperalsS-FBRK'... [ OK ]
Rootkit 'Li0n Worm'... [ OK ]
Rootkit 'MRK'... [ OK ]
Rootkit 'RootKit for SunOS / NSDAP'... [ OK ]
Rootkit 'Optic Kit (Tux)'... [ OK ]
Rootkit 'Oz Rootkit'... [ OK ]
Rootkit 'Portacelo'... [ OK ]
Sebek LKM [ OK ]
Rootkit 'Scalper Worm'... [ OK ]
Rootkit 'SHV4'... [ OK ]
Rootkit 'Slapper'... [ OK ]
Rootkit 'SunOS Rootkit'... [ OK ]
Rootkit 'TBD (Telnet BackDoor)'... [ OK ]
Rootkit 'X-Org SunOS Rootkit'... [ OK ]

* Suspicious files and malware
Scanning for known rootkit files [ OK ]
Miscellaneous Login backdoors [ OK ]
Miscellaneous files in /dev [ OK ]
Miscellaneous directories [ OK ]

[Press <ENTER> to continue]

* Trojan specific characteristics
shv4
Checking /etc/rc.d/rc.sysinit
[ Not found ]
Checking /etc/inetd.conf [ Not found ]

* Suspicious file properties
chmod properties
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /usr/bin/netstat [ Not found ]
Checking /bin/login [ Clean ]
Script replacements
Checking /bin/ps [ Clean ]
Checking /bin/ls [ Clean ]
Checking /usr/bin/w [ Clean ]
Checking /usr/bin/who [ Clean ]
Checking /bin/netstat [ Clean ]
Checking /usr/bin/netstat [ Not found ]
Checking /bin/login [ Clean ]

* OS dependant tests

Linux
Checking loaded kernel modules... OK.

Checking network connections
* Check: frequently used backdoors
Port 2001: Scalper Rootkit [ OK ]
Port 2006: CB Rootkit [ OK ]
Port 2128: MRK [ OK ]
Port 14856: Optic Kit (Tux) [ OK ]
Port 47107: T0rn Rootkit [ OK ]

[Press <ENTER> to continue]

System checks
* Allround tests
Checking hostname... Found. Hostname is lovenixgirl
Checking for differences in user accounts... OK. No changes.
Checking for differences in user groups... OK. No changes.
Checking rc.local file...
- /etc/rc.local [ Not found ]
- /etc/rc.d/rc.local [ Not found ]
- /usr/local/etc/rc.local [ Not found ]
- /usr/local/etc/rc.d/rc.local [ Not found ]
Checking rc.d files...
Processingfind: /etc/rc.d/*: No such file or directory
[ OK ]
Checking history files
Bourne Shell [ Not Found ]

* Filesystem checks
Checking /dev for suspicious files... [ OK ]
Scanning for hidden files... [ OK ]
---------------
.devfsd (in /dev) .keep.gz (in /usr/man) .devfsd (in /dev)
---------------

Security advisories
* Check: Groups and Accounts
Searching for /etc/group... [ OK ]
Checking users in group '0' (root)... [ OK ]

* Check: SSH
Searching for /etc/ssh/sshd_config... [ Found ]
Checking for allowed root login... [ OK (Remote root login disabled) ]
Checking for allowed protocols... [ OK ]
info: (when empty, default option active)

* Check: Events and Logging
Search for syslog configuration... found
Checking for running syslog slave... [ OK ]
Checking for logging to remote system... [ OK (no remote logging) ]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 0
Incorrect MD5 checksums: 0

File scan
Scanned files: 0
Possible infected files: 0
Possible rootkits:

Scanning took 71 seconds

I hope this information help you out ..

Cheers..

annya

**sn0rf** · February 27th, 2004, 10:38 AM

Before you do any investigation, I suggest to boot from a rescue CD-ROM image, then mount the linux partition. It's possible that many commands, like find etc. have beend trojanized by the intruder.

**t3gilligan** · February 28th, 2004, 02:31 AM

sweet angel thank you so much for the root kit check. Thank all of you for your help. I am a fairly decent learner, but sometimes need to be pointed in the right direction. You're all great. Thx

Thread: Hacked Red Hat 7.3

Thread Tools

Display

Posting Permissions