Compromised Machine

[Jason Dixon]

On Sep 22, 2004, at 2:31 PM, Brian D. McGrew wrote:

> It would appear that one of our machines was compromised last night 
> via ssh.  It turns out that one of our accounts called 'operator' 
> didn't have a password on it (Hey, it's not 'my' machine) and someone 
> came in via ssh.  This was made obvious when we discovered the root 
> password had been changed and the 'last' showed two logins from 
> overseas.  The machine was shut down immediately and they called me.
>
> My questions are:
>
> 1)  As an unprivileged user, how can someone change the root password? 
>  Our operator account is the lowest privileged account on the system, 
> they can't shutdown, su or do anything.  But the root password is 
> changed.

Rootkit.

> 2)  While bringing the machine back up, it hung while starting the 
> network on device eth0 with the error that said "Error loading module 
> ppp.o'.  We don't use ppp or anything even close.  This machine is on 
> a LAN and it's even very rarely logged into.  Is it feasible to think 
> that some sort of malicious software was installed or ran on the 
> system and if so, how can I tell?

It's likely that core utilities (modprobe, netstat, ls, etc) have been 
replaced.  Don't trust anything.

> 3)  Short of reinstalling the system, how can I tell what was done and 
> go about fixing it?  I know a reinstall would of course do it; and in 
> the case of this machine we've only changed one line of one file 
> otherwise it's a stock install.

Reinstall.  Chalk it up to a learning experience.  If you have the 
extra hardware, and you're so inclined, unplug the box and reinstall on 
a new system.  Use the non-networked machine as an opportunity to 
practice your forensics skills.


--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net