The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BIndshell

Discussion in 'Bind / DNS / Nameserver Issues' started by djstudio, May 29, 2003.

  1. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    Checking `bindshell'... INFECTED (PORTS: 465)

    i know there is news about portsentry conflicting with this chkrootkit, but this not a drill, my box has been compromised,
    i viewed that there were changes to my dns settings. apparaently the guy change my dns settings to suite his vhost for irc

    question is, how do i get rid of this infected bindshell?

    cat /etc/passwd |grep x:0

    output
    root:x:0:0:root:/root:/bin/bash
    thats only me!

    cPanel.net Support Ticket Number:
     
    #1 djstudio, May 29, 2003
    Last edited: May 29, 2003
  2. perlchild

    perlchild Well-Known Member

    Joined:
    Sep 1, 2002
    Messages:
    279
    Likes Received:
    0
    Trophy Points:
    16
    That's probably because this particular trojan replaces grep(and a host of other programs) with a copy in a subdir of /dev(can't wait for devfs to make that impossible)

    cPanel.net Support Ticket Number:
     
  3. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    after killing those process hidden from ps

    i find that

    syslogd
    mysql
    and bind always appear down but it works
    and once ive got alot of email messages from the box saying that it has restarted magically for about 100 messages or so

    cPanel.net Support Ticket Number:
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Bindshell on port 465 is normal. Ever since i setup all my servers using Cpanel on bran new boxes chkrootkit has complained about 465. This is normal if portsentry or smtps is running on port 465. I dont think this is any exploit at all. If it is then ever cpanel box iv ever seen has been exploited.

    cPanel.net Support Ticket Number:
     
  5. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    From the horses mouth: http://www.chkrootkit.org/

    I'm running PortSentry/klaxon. What's wrong with the bindshell test?
    If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

    Mike

    cPanel.net Support Ticket Number:

    cPanel.net Support Ticket Number:
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Thats correct! The guy talking about somebody modify his DNS entry, well thats a bit hard to believe unless somebody has gotten root or he gave his users access to modify DNS.

    cPanel.net Support Ticket Number:
     
  7. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    only i have root~
    port sentry is not ON

    syslogd
    mysql
    and bind always appear down but it works
    and once ive got alot of email messages from the box saying that it has restarted magically for about 100 messages or so

    syslogd failed @ Fri May 30 08:27:37 2003. A restart was attempted automagicly.

    mysql failed @ Fri May 30 08:27:17 2003. A restart was attempted automagicly.

    this message keeps repeating~ i have no idea on how to rectify this problem

    cPanel.net Support Ticket Number:
     
  8. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Did you disable portsentry? By default cpanel turns it on.

    Mike

    cPanel.net Support Ticket Number:
     
  9. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    by default it is not on. it wasn't even installed, i had to installed it myself~

    cPanel.net Support Ticket Number:
     
  10. sqsisa

    sqsisa Well-Known Member

    Joined:
    Apr 8, 2003
    Messages:
    97
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Bay Area, CA
    Had same issue. Do U have smtps running. This was the resolution to my issue:

    netstat -a

    Will show you if something is listening on that port currently ... if you are infected, ps might have been replaced (though chrootkit didn't tell you it was) ... you might want to go and temporarily download "lsof" from www.rpmfind.net and install it ... it has an option to only show open sockets .. -i I think .. and you can even tell it just to show port 465 .. can't remember how offhand. Anyway, using that tool you can determine what program has the socket open and the PID for it ... even if your PS program has been replaced. Once you find it, you can kill -KILL <pid> it and n chmod 111 the program and move it away from where it is ... preferably offsite .. for later analysis if that is needed.

    quote:


    [root@homer lsof]# /usr/sbin/lsof -i TCP:465
    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    stunnel_p 1010 root 4u IPv4 4598 TCP *:smtps (LISTEN)

    cPanel.net Support Ticket Number:
     
  11. NightHawk

    NightHawk Member

    Joined:
    Apr 17, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I second this....but it isn't just portsentry that will cause this false postive...alot of control panels, including cpanel and plesk run smtps on port 465...portsentry incorrectly id's that as a bindshell. If you do a netstat -anp ...it should show you that smtps is listening on port 465....

    cPanel.net Support Ticket Number:
     
  12. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    yes of course there are problems like this,
    but this isnt that. it has been compromised , the dns was changed so that a person could run a psybnc or a bot in my boX,
    lucky thing is, the hacker left a few spots for me to look, like
    the .bash_history, i tot it was erased, but it seems that it wasnt entirely gone, fragments of it or most i say all is deleted from a directory " ", smart, but not so smart. well of this, has an effect, by deleting the bindshell root kit, i deleted the ps which was already corrupted, thus i cant login to my box via ssh, but i can login thru the Cpanel:2086
    since the ssh kernels are corrupted, the only thing to do is login physically, to fix whatever, or to ask my provider to reformat, since it hasnt had any customers, it might as well be updated to redhat 8.0 and so forth

    cPanel.net Support Ticket Number:
     
  13. NightHawk

    NightHawk Member

    Joined:
    Apr 17, 2003
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Your best bet is to reformat and reinstall everything.....that is always the best advice on any hacked (or even highly supsected hacked) box.....as there is no way to ever know if you found everything....

    sorry to hear you got hacked....but at least you didn't have anything on the box....

    suggest that after your restore..you install tighter security....take the information you have gained from you autopsy ...and make sure you plug the holes this hacker used....as he will most probably try to come back...

    good luck...

    btw..if you havn't done a full autospy on your server yet, I suggest running autopsy and task. (found at http://sleuthkit.sourceforge.net/index.php )

    cPanel.net Support Ticket Number:
     
  14. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    heh guess what~ the ssh is back after reinstalling from cpanel lol~ aint cpanel just great?

    cPanel.net Support Ticket Number:
     
  15. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    How did you reinstall cpanel with our shell access?

    Mike

    cPanel.net Support Ticket Number:
     
  16. djstudio

    djstudio Well-Known Member

    Joined:
    Oct 23, 2002
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    6
    under software,
    install an rpm,
    look for openssh
    then force to install, then it reinstalls

    cPanel.net Support Ticket Number:
     

Share This Page