Forwarded Message: > To: Heath Bunting > From: Steve Hanlon > Subject: Re: failure delivery (fwd) > Date: Tue, 18 Sep 2001 08:41:41 +0100 > ----- > yep... > looks like you've been hacked through the printer daemon. I logged onto your system and had a > look in /var/log/messages. At around 18:22 on Saturday there are some long messages that look > like binary strings, these are buffer overflow attacks. From looking at google, these are > attacks on LPRng: > > http://www.google.com/search?q=Dispatch_input% 3A+bad+request+line+%27BB&btnG=Google+Search > > Looking at the processes running, this doesn't seem to be running anymore - could be covering > themselves up. > > Anyhow, it looks like the attack worked and that they dropped a root kit or something on the > machine that replaced some key binaries, for example /usr/bin/crontab, /usr/bin/ssh and > /usr/bin/wget. Also "find", "ps" and "ls" appear to have been replaced (others might have too). > > There is a process running called psybnc which seems to be some host cloaking software that is > used for IRC channels (not really sure about this yet). If you run "ps" normally it doesnt > appear. I've uploaded ps, ls and find into /home/root2 which are clean versions of the files. > You'll see that this file lives in /usr/lib/.kinetic (you might have to use ~root2/ls to see the > files). > > It looks to me like they're running an IRC server and maybe thats it. They've also downloaded an > mp3 file: > /usr/lib/.kinetic/tunnel trance force - 08 - cd2 - dark mix.mp3 > not sure why... > > Oh, some of the files are in /dev/.a/ another hidden directory. I can't see any other hidden > directories of this sort. > > Also the /etc/rc.d/rc3.d/S40crond and S16apmd startup scripts appear to have been modified to > point to their new binaries. Note also that the machine rebooted later on the 15th, so these > startup scripts would have been run when the server started. > > How to fix? Probably a reinstall or a re-upgrade of the server is the best way of doing it, and > then making sure that the LPR daemon is not running. A half-way job can be done by identifying > those binaries that have been replaced and fix them, remove the hidden directories and replace > the init scripts.... Not sure if this will correct everything though. > > Sorry to be the bearer of bad news.... Hope this helps. > Steve > > Heath Bunting wrote: > > > should i be worried ? > > > > -- > > > > ---------- Forwarded message ---------- > > Date: 17 Sep 2001 18:23:51 -0000 > > From: MAILER-DAEMON@yahoo.com > > To: root@irational.org > > Subject: failure delivery > > > > Message from yahoo.com. > > Unable to deliver message to the following address(es). > > > > : > > Sorry, I wasn't able to establish an SMTP connection. (#4.4.1) > > I'm not going to try again; this message has been in the queue too long. > > > > --- Original message follows. > > > > Return-Path: > > MBOX-Line: From root@irational.org Sat Sep 15 17:23:47 2001 > > Received: from mta423.mail.yahoo.com for dex@mail.medianet.tim.ro; Sep 15 10:23:47 2001 -0700 > > X-Yahoo-Forwarded: from r00t4r00t@yahoo.com to dex@mail.medianet.tim.ro > > X-Track: 1: 40 > > Received: from ivanpo-1.fm.netbenefit.co.uk (EHLO irational.org) (212.53.85.57) > > by mta423.mail.yahoo.com with SMTP; 15 Sep 2001 10:22:57 -0700 (PDT) > > Received: (from root@localhost) > > by irational.org (8.11.0/8.11.0) id f8FHMp310325; > > Sat, 15 Sep 2001 18:22:51 +0100 > > Date: Sat, 15 Sep 2001 18:22:51 +0100 > > From: root > > Message-Id: <200109151722.f8FHMp310325@irational.org> > > To: r00t4r00t@yahoo.com > > Subject: 212.53.85.57 > > > > 127.0.0.1 > > Cc: dicti0nar@yahoo.com > > > > eth0 Link encap:Ethernet HWaddr 00:C0:F0:58:E0:17 > > inet addr:212.53.85.57 Bcast:212.53.85.255 Mask:255.255.255.0 > > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > > RX packets:9182547 errors:0 dropped:84 overruns:0 frame:0 > > TX packets:1467121 errors:6513 dropped:0 overruns:37 carrier:6476 > > collisions:1246 txqueuelen:100 > > Interrupt:11 Base address:0x1000 > > > > lo Link encap:Local Loopback > > inet addr:127.0.0.1 Mask:255.0.0.0 > > UP LOOPBACK RUNNING MTU:3924 Metric:1 > > RX packets:191007 errors:0 dropped:0 overruns:0 frame:0 > > TX packets:191007 errors:0 dropped:0 overruns:0 carrier:0 > > collisions:0 txqueuelen:0 > > -- > steve@hanlon.co.uk 01965 633277 mob. 0797 0067750 fax. 020 76811400 > > >