[ale] anyone recognize this hack?

Randy Ramsdell rramsdell at adelphia.net
Wed Feb 1 15:35:01 EST 2006


On Wed, 2006-02-01 at 13:35 -0500, John Wells wrote:
> My friend's box was hacked. The only way we caught it was the damned
> process started soaking up 97% CPU usage and firing so many packets at
> iptables that the firewall started to crawl.
> 
> The interesting this was that one of the processes involved showed up as
> "perl" in top, but if I toggle the command line display it showed as
> "/usr/sbin/httpd". There is only httpd2 on this box, no httpd, so cd'd
> over into the proc directory for that process, cat'ed cmdline, and same
> thing. I assume that top simply reads from this file anyway.
> 
> When restarting his normal web server for a test, it said 443 was already
> in use, so...see below. Is this familiar to anyone? I'm just curious if it
> is a fairly common rootkit or not (or if you can even tell, which is
> unlikely). I'd love to counter attack that IP, but it's probably a
> compromised machine itself ;)

Well find the rootkit. I bet you can find it in its *tar.gaz form
somewhere. Then replace the common trojaned binaries "ps, tcpdump,
ifconfig, etc... and use them to study the traffic.

> genesis:/var/log # lsof -iTCP:443
> COMMAND     PID   USER   FD   TYPE DEVICE SIZE NODE NAME
> sendmail:  3366 wwwrun    4u  IPv6   7994       TCP *:https (LISTEN)
> s         20533 wwwrun    4u  IPv6   7994       TCP *:https (LISTEN)
> genesis:/var/log # ps -ef | grep 20533
> wwwrun   20533     1  0 Feb16 ?        00:00:00 /tmp/.tmp/public_html/s
> 67.15.63.112 53
> wwwrun   20534 20533  0 Feb16 ?        00:00:00 [s] <defunct>
> root     22778 22720  0 14:09 pts/1    00:00:00 grep 20533
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

First, ps, tcpdump, etc... are probably trojans.

Maybe you could find out what "sendmail and s" are. Try "strings" if
they are binary. Also, I have seen irc running with ipv6 so maybe
something is related there. 


rcr





More information about the Ale mailing list