Compromised Machine
Jason Dixon
jason at dixongroup.net
Wed Sep 22 18:37:53 UTC 2004
On Sep 22, 2004, at 2:31 PM, Brian D. McGrew wrote:
> It would appear that one of our machines was compromised last night
> via ssh. It turns out that one of our accounts called 'operator'
> didn't have a password on it (Hey, it's not 'my' machine) and someone
> came in via ssh. This was made obvious when we discovered the root
> password had been changed and the 'last' showed two logins from
> overseas. The machine was shut down immediately and they called me.
>
> My questions are:
>
> 1) As an unprivileged user, how can someone change the root password?
> Our operator account is the lowest privileged account on the system,
> they can't shutdown, su or do anything. But the root password is
> changed.
Rootkit.
> 2) While bringing the machine back up, it hung while starting the
> network on device eth0 with the error that said "Error loading module
> ppp.o'. We don't use ppp or anything even close. This machine is on
> a LAN and it's even very rarely logged into. Is it feasible to think
> that some sort of malicious software was installed or ran on the
> system and if so, how can I tell?
It's likely that core utilities (modprobe, netstat, ls, etc) have been
replaced. Don't trust anything.
> 3) Short of reinstalling the system, how can I tell what was done and
> go about fixing it? I know a reinstall would of course do it; and in
> the case of this machine we've only changed one line of one file
> otherwise it's a stock install.
Reinstall. Chalk it up to a learning experience. If you have the
extra hardware, and you're so inclined, unplug the box and reinstall on
a new system. Use the non-networked machine as an opportunity to
practice your forensics skills.
--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net
More information about the redhat-list
mailing list