[ale] anyone recognize this hack?
Randy Ramsdell
rramsdell at adelphia.net
Wed Feb 1 15:35:01 EST 2006
On Wed, 2006-02-01 at 13:35 -0500, John Wells wrote:
> My friend's box was hacked. The only way we caught it was the damned
> process started soaking up 97% CPU usage and firing so many packets at
> iptables that the firewall started to crawl.
>
> The interesting this was that one of the processes involved showed up as
> "perl" in top, but if I toggle the command line display it showed as
> "/usr/sbin/httpd". There is only httpd2 on this box, no httpd, so cd'd
> over into the proc directory for that process, cat'ed cmdline, and same
> thing. I assume that top simply reads from this file anyway.
>
> When restarting his normal web server for a test, it said 443 was already
> in use, so...see below. Is this familiar to anyone? I'm just curious if it
> is a fairly common rootkit or not (or if you can even tell, which is
> unlikely). I'd love to counter attack that IP, but it's probably a
> compromised machine itself ;)
Well find the rootkit. I bet you can find it in its *tar.gaz form
somewhere. Then replace the common trojaned binaries "ps, tcpdump,
ifconfig, etc... and use them to study the traffic.
> genesis:/var/log # lsof -iTCP:443
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> sendmail: 3366 wwwrun 4u IPv6 7994 TCP *:https (LISTEN)
> s 20533 wwwrun 4u IPv6 7994 TCP *:https (LISTEN)
> genesis:/var/log # ps -ef | grep 20533
> wwwrun 20533 1 0 Feb16 ? 00:00:00 /tmp/.tmp/public_html/s
> 67.15.63.112 53
> wwwrun 20534 20533 0 Feb16 ? 00:00:00 [s] <defunct>
> root 22778 22720 0 14:09 pts/1 00:00:00 grep 20533
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
First, ps, tcpdump, etc... are probably trojans.
Maybe you could find out what "sendmail and s" are. Try "strings" if
they are binary. Also, I have seen irc running with ipv6 so maybe
something is related there.
rcr
More information about the Ale
mailing list