The following are notes I made to myself after a recent hack...
================
Things to look for after a hack --
FIND a USER AS ROOT
cat /etc/passwd | grep 0:0
(Should see only one user with root access (You!) If more than 1, investigate!!
FIND OPEN PORTS
lsof | grep LISTEN
Look for ports open -- ?
CHECK THESE SERVICES
/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find
The following directories may also be created by a hacker:
cd/.lib
/usr/src/.puta
/usr/info/.t0rn
/dev/.lib
NETSTAT
netstat -l
CHECK MODIFIED FILE TIMES
find / -mtime -1 -print
(Where N is the number of days previously to check
COMPARE OUTPUT OF LS
Inside each modified directory you should compare the output of
echo * with ls. If ls has been trojaned and configured to hide
anything, the echo command will show
The worm keeps itself active during reboots by appending some lines to /etc/rc.d/rc.sysinit
disguised with the comment 'Name Server Cache Daemon..'. It also deletes /etc/hosts.deny and
appends lines to /etc/inetd.conf to leave a root shell on port 1008. Finally, it emails the
contents of /etc/passwd, /etc/shadow and the output from ifconfig -a, to an address in the
china.com domain
/etc/rc.d/rc.sysinit ## Search for &Cache&, ususally at the end of the file
/etc/inetd.conf
Utilities Included in Rootkit IV
Programs That Hide the Cracker's Presence
ls, find, du — will not display or count the cracker's files.
ps, top, pidof — will not display the cracker's processes.
netstat — will not display the attacker's traffic, usually used to hide daemons such as eggdrop, bindshell, or bnc.
killall — will not kill the attacker's processes.
ifconfig — will not display the PROMISC flag when sniffer is running.
crontab — will hide the cracker's crontab entry. The hidden crontab entry is in /dev by default.
tcpd — will not log connections listed in the configuration file.
syslogd - similar to tcpd.
Trojaned Programs That Have Backdoors
chfn — root shell if rootkit password is entered in as new full name.
chsh — root shell if rootkit password is entered as new shell.
passwd — root shell if rootkit password is entered as current password.
login — will allow the cracker to log in under any username with the rootkit password. If root logins are refused, user rewt will work. It also disables history logging.
Trojaned Network Daemons
inetd — root shell listening on port rfe (5002). After connection, the rootkit password must be entered in as the first line.
rshd — trojaned so that if the username is the rootkit password, a root shell is bound to the port (i.e. rsh [hostname] -l [rootkit password]).
Cracker Utilities
fix — installs a trojaned program (e.g., ls) with the same timestamp and checksum information.
linsniffer — a network sniffer for Linux.
sniffchk — checks to make sure a sniffer is still running.
wted — wtmp editor. You can modify the wtmp.
z2 — erases entries from wtmp/utmp/lastlog.
bindshell — binds a root shell to a port (port 31337 by default).
================
