Account
♦ Password
♦ Mailsetup
♦ Info
Services
♦ Workstations
  ♣ Linux
  ♣ MacOS
♦ E-Mail
♦ Chat
♦ Files
♦ Backups
♦ Printers
♦ Network
♦ Statistics
♦ Downloads
♦ Links
News
♦ Newsletter
♦ Submit
♦ Search
Readme
Hacks
♦ Linux
Tools
Contact
About


  A long monday evening
Experiences Posted by Beat Rubischon on Thursday February 05, @10:38AM
from the why-you-should-patch-your-computer dept.
Monday evening, an email of the security team reached us - three machines seems to have a running IRC-server. This is quite often a suspicion for a hacked machine. Two hosts were Linux workstations of our students cluster, one a SuSE workstation managed by a PhD student.

Our workstation contained a PsyBNC IRC-proxy running by a normal user. A short discussion with him made clear, that he did't know anything about those programs and his account was shared with an unknown intruder. Because of the up to date installation of Debian GNU/Linux it was not possible for the intruder to get root on those machines.

The SuSE workstation (running SuSE 6.4) was running also PsyBNC - but in this case, it was behind a Suckit rootkit and completly hidden. Suckit is a great tool - not for us, but for the intruder. It replaces /sbin/init with itself and patches the Linux kernel on the fly. All processes behind it and Suckit itself are hidden and invisible for ps, top and other common tools. We know Suckit since the break in in March 2003.

You could detect a running Suckit with chkrootkit or by booting your system with a CD-based Linux distribtuion like Knoppix (mirrored by us). You will see a /sbin/init and a second program /sbin/initXYZ - XYZ will be a random string of three characters.

Suckit doesn't listen directly on the network. It waits for a connection to a open port (ssh, webserver) with a specific signature. When Suckit sees this signature, it connects back to the originating host. This makes that Suckit is not detectable by a network scanner.

Suckit logs any password typed in in a terminal and creates a hidden log of them. So it doesn't help when you are strictly using ssh - Suckit logs the password between your keyboard and the ssh before it will be encrypted. The log is quite useful for the intruder:

...
ssh beowulf :
Local: Bad packet length 1349676916.
ssh2 beowulf :
foo's password: MrYH9KWL
ssh -X -lfred beowulf :
fred@beowulf's password: 7r0mP4TB
ssh -X -lfred beowulf :
fred@beowulf's password: 7r0mP4TB
ftp www.example.com :
Connected to server1.example.com.
220 1d0si026 Microsoft FTP Service (Version 5.0).
Name (www.example.com:foobar): Password required for foobar.
Password:7tKR4IBC
/bin/login -- root :
Password: SJFTbu2
...
(real hostnames, logins and passwords known to the editors)

With this log, it was a simple thing for the intruder to follow the users, try out if the ptrace() kernel bug exists on the destination hosts.

Well, the machine had an admin. We had a longer conversation with him why the machine was not up to date (SuSE 6.x is no longer supported). Some time ago, he installed a firewall to protect the machine - but he needed to get remote access to the box by ssh. So he left port 22 open - quite typical in a Linux environment. With the firewall in mind he decided not to upgrade the machine to a current version of SuSE Linux - and created a ideal target for our intruder.

The machine is now freshly installed. It's the only solution in such cases - you never know which backdoors are installed by the intruder. It usually takes a lot of work to reinstall a machine and in a case like this it's always in the worst time...

Conclusion: Keep your machine up to date and don't depend on the firewall!

<  |  >

 

  Related Links
  • Articles on Experiences
  • Also by Beat Rubischon
  • Contact author
  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    © 2003 ISG, Departement Physik, ETH Zürich, <isg@phys.ethz.ch>