From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; compaq) I found a root kit in a folder /rk on my system. My system was completely up to date with up2date/RHN. the files in the folder where: install (a script) and ssh.tar.gz I made the stupid mistake of running the install script. Now my system does not accept incoming telnets. I looked over the script and it looked like it replaced a lot of files, like ps and various other things that would prevent me from seeing evidence of this thing on my system. Not sure the name of this, but looks like a worm. Kind of getting tired of reformatting due to a lot of recent worm attacks (Ramen worm), finally got that to stop but now this. Does RedHat have instructions about "hardening" your system to make it more secure? BTW, I was NOT running BIND. If you need more information, please e-mail me at tommylw Thanks, Tommy Watt Reproducible: Didn't try
If you still have the script around, do you want to attach it? In any case, general hardening tips include: - turn off *ALL* services you don't use - install a firewall - use encrypted services wherever possible (i.e., not telnet)
I will add attachment when I get home. As far as hardening RedHat, I already turned off all unneeded services and was running a firewall. As for telnet, this is unavoidable because the purpose of my system is to provide a public access BBS via telnet. How does one break into a system via telnet? I mean, what is it's vulnability? Thanks, Tommy
With telnet, all the passwords go over the network unencrypted.
Created attachment 14103 [details] the "install" script found in /rk
Created attachment 14104 [details] the "tar" file that was included in /rk
I have included the files found in the /rk directory. If you need anything else from my system, let me know. I don't plan on formatting my system until I know I don't have to worry about this again. Tommy
Do you still have the logs?
Also, I'm assuming you still have the machine off the net - if you haven't reformatted it, leaving it public is certainly a bad idea.
I still have the logs but won't beable to get them to you until tommorow morning. If there is anything else you can think of, I will get those too. I did take my server off the internet, and have made no changes to it.
Also, which exact logs do you want? Please specify exact filenames or directories that you want and I will put them all in a zip file.
Everything in /var/log.
Created attachment 14224 [details] contents of /var/log
I attached the /var/log zip file. Please let me know what you find or if you need anything else. Thanks, Tommy
Well, someone certainly has been trying rpc.statd exploits on you, at least.
True. What is the timestamp on the rootkit and install scripts? One thing to note is that up until you rebooted on March 21, you were running the 2.2.14 kernel; there are *definite* local exploits for this kernel, most involving sendmail. It's entirely possible that a local user could have compromised the system that way. Was there any evidence of other changes in the system before you ran the root kit install script (which could have wiped out other traces...)
I thought everything was OK before I noticed the /rk folder in root. When I first saw this rk folder, I looked in it and saw "install" and "ssh.tar". Well stupid me thought maybe that this was actually supposed to be there, as if I installed a openssh update from RHN, but it still needed to be installed. So I ran it. And then didn't notice that anything was wrong until I tried telneting into the system the next day. Then I got to thinking that maybe that program I ran wasn't supposed to be there. Looked at it more closely and sure enough it was not. I did upgrade the kernel maybe a week or two earlier, but not after I saw this on my system. If this was there before I uggraded the kernel, I had no idea it was. Does it look like that this happened before I upgraded kernels? Is there anyway I could be more sure about this? Is there any other information or files that you would need to be more sure? Thanks, Tommy
Oh one other thing, when you said "local user". What do you mean, a console user? Or someone who has access to logon to a shell via telnet?
'local user' is anyone who has a local account. Probably the best way to get a good guess as to when this happened is to check the timestamps on the rk.tar and install.sh files.
The dates are July 30th, 1998.
OK, what's the timestamp on the directory?
Have to get back to you for that. Do you have any idea what may of happened? I'm really hessitant to reformat and put a server back online without knowing what happened.
Ok here are the dates for /rk and the files. Apperently the date I gave you before was the date that came up in Windows. (Strange that they're so different.) FEB 28 16:04 /rk JAN 9 06:56 ssh.tar JAN 9 07:00 install This tell you anything?
Hello?
It's dated when you were still running the older kernel, so it's entirely possible that the kernel exploit was used by a local user. The only other relevant log entries from around then were FTP connections listed in /var/log/secure; unfortunately, the /var/log/messages posted don't go back far enough.
As I said before, there are no local users. Is there anything else I can give you that could tell you more?
There is *no one* that can run commands on the local system? What version of wu-ftpd were you running on Feb. 28? (Yes, I know that's not the easiest thing to answer.) Do you have any older /var/log/messages* files than the ones that were in the original tarball?
i was running the current wu-ftp on that date. i know this for sure because i made sure of it because i kept getting hit with the ramen worm i didn't delete any log files since i reformatted. i reformatted about a month ago and ran all available updates shortly after. the only updates that i didnt run right away was the current kernel the only person with shell access is myself
I think I *MAY* of identified the rootkit. I did a search on www.securityfocus.com, and found a reference to "Romanian rootkit". The program chkrootkit (www.chkrootkit.org) says that it has the ability to detect the Romanian rootkit. The reason why I think this may be it is because the install script says that it is made in Romania. I however, after extensive searching, can not find any other information on the Romanian rootkit on the internet. Do you know anything about this?
I still have not identified this for sure. The author of chkroot said I should talk to you about this. <shrug> Could you tell me if RedHat 7.1 is due to be out within the next month? I really don't need to know exactly when, but it'd be nice to know if I should format my system now or just wait until 7.1 is out. Any information would be appreciated! Thanks, Tommy
I don't know anything in particular about the 'romanian rootkit' you mention. I'm sorry, but we really can't comment on release dates.
OK. Well do you have any other ideas? Or should I just reformat and hope this doesn't happen again?
These kind of rootkits are almost always known and fixed if recent security patches have been installed. In this case the culprit has probably been rpc.statd. The Romanian rootkit isn't anything really new, as certain rootkit detectors notice it. After reinstalling and cutting down the services, I'm rather sure this won't happen again. Unless security patches are forgotten to be applied.. As for the next release, in the past there has been a rather strong correlation between different release dates.
What do you mean by "correlation between different release dates". Do you mean they are released in nearly the same amount of time from each other? When was 6.1 and 6.2 released?
I can now comment on the 7.1 release date. It's out. :)
:) i noticed.. feel free to close this bug out ....