The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Trojan Horse Detected

Discussion in 'General Discussion' started by maverick, Mar 19, 2003.

  1. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    I received this message this morning from root:
    Trojan Horse Detected.
    Hidden Pid detected! [pid xxxx]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/usr/share/locale/pt/sk]

    I ran chkrootkit and it found the following:
    Checking `bindshell'... INFECTED (PORTS: xxx)

    Does anyone know what I can do about this?

    And how is it possible that someone got into my system?

    Any help or suggestions appreciated.

    Mav.
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Mav do you have Tripwire installed?
    If you do it has a know issue to give false warnings for bindshell.
     
  3. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Not that I'm aware of.

    I deleted the .sniffer and sk files yesterday and restarted the server. It didn't fix the Infected port report.

    I received this message this morning from WHM:
    Trojan Horse Detected
    Hidden Pid detected! [pid xx]
    hidden from ps: [yes]
    hidden from kernel: [yes]
    binary location: [/sbin/init]

    The same port still comes up as infected when I run chkrootkit.

    What can be done to stop this? Nothing malicious has happened yet, but I have to say it's making me nervous...

    Mav.
     
  4. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Your worrying over nothing. Port 465 is triggering this. Stop the process on port 465 and it will go away. Also, if you are running portsenty you will also get a false positive from this. Start worrying when you see anything other than bindshell appearing.

    If you want to find out what port 465 is listening to install lsof from the Install RPM's screen then execute this;

    /usr/sbin/lsof -i tcp:465

    You will find the following running

    stunnel-4 11195 root 6u IPv4 135271035 TCP *:smtps (LISTEN)
    stunnel-4 11277 root 6u IPv4 135271035 TCP *:smtps (LISTEN)

    I dont know why cPanel is running smtps. Anyone using it?
     
    #4 sexy_guy, Mar 20, 2003
    Last edited: Mar 20, 2003
  5. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the tip.
    Running lsof -i tcp:465
    results in:
    stunnel-4 1187 root 6u IPv4 3126 TCP *:smtps (LISTEN)

    I assume this is normal?

    Perhaps the 465 infected result from chkrootkit isn't related to the activity of the trojan horse?

    I did manage to figure out that the trojan horse that is running on my server is this one (SucKIT):
    http://hysteria.sk/sd/sk/readme

    The server is still running kernel 2.4.18-3, which I presume is vulnerable to this rootkit?

    Does anyone have any bright ideas as to how I could go about figuring out who installed it? I assume it was one of our users?

    Comments welcome...
    Mav.
     
  6. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
  7. cpmania

    cpmania Guest

    good reading, but it doesnt say how the file got there to begin with.
     
  8. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Well we finally resolved this Trojan Horse issue by doing a reinstall of the kernel and the OS. Rather an unpleasant experience altogether, which resulted in some pretty poor service to our customers.

    There were a number of bogus files that we detected about the system (including /sbin/init and /bin/bash), so it seemed that installing fresh was the only way to be certain that we had eliminated the hacker's efforts entirely. We also had other strange behaviour occuring, which we couldn't begin to explain (like Shell becoming accessible via all accounts, regardless of the setting for the account in WHM).

    The vulnerability in our server was the slightly dated kernel (2.4.18-3), which had potential security exploits. We had put off updating the kernel simply because the server was only a couple of months old, and I didn't want to risk jeopardizing it with my minimal experience in such matters. On hindsight of course, I should have just paid an expert to have done it straight away. After what we went through with this, I would urge anyone with a dated kernel to upgrade asap.

    Mav.

    PS: We believe the infiltrator was a spammer trying to get access to abuse the server. Not an enemy or someone trying to nuke the system, merely someone wanting to send off 30 million crap emails to briefly bother 30 million people. Sigh.
     
  9. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Well the only way to completely elminate this kind of VULN is to completely restore the OS. Is that what you did? That would have meant that all your user accounts would have gone bye bye with that thought a recreation of the sites would have been necessary. If you merely just reinstalled the OS then im afraid you may be back at square one.

    A vulnerability has been found in version 2.4.18 of the kernel. This
    vulnerability makes it possible for local users to gain elevated (root) privileges without authorization. This advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0.

    Have you looked at your local user doings?
     
    #9 sexy_guy, Mar 31, 2003
    Last edited: Mar 31, 2003
  10. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    Yes, we started out with a brand new hard drive, installed the OS and WHM and recreated accounts from backups.

    We have been looking at user doings, but unfortunately its a near impossible task with over 300 users on the server.

    Mav.
     
  11. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    Just make sure your kernel is kernel-2.4.18-27.7.x. Im rebooting all my servers tonight at 1am to upgrade my kernels. I hope everyone else is smart enought to upgrade before someone hijacks your server.
     
  12. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    How is kernel-2.4.18-27.7.x working for you? We installed it on a RH 7.3 system and it caused a bunch of problems, so we had to downgrade to kernel-2.4.18-24.7.x .

    Mike
     
  13. maverick

    maverick Well-Known Member

    Joined:
    Jan 6, 2003
    Messages:
    68
    Likes Received:
    0
    Trophy Points:
    6
    We went to 2.4.20 and so far have had no problems. That's on 7.3 - WHM/Cpanel 6.2.0 R-18

    Mav.
     
  14. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Did you compile from source or did you find a rpm? I could not find a rpm on the red hat web site for 2.4.20.

    Mike
     
  15. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16

    Its been 12hrs since we rebooted with the new kernel-2.4.18-24.7.x and it seems to be working fine. We run all RH 7.2 boxes on Compaqs, different configurations, and cpu speeds. I did notice a few new things for example if you type ps aux or ps afx the display for httpd and proftpd show like so;

    nobody 9588 0.0 0.3 3316 1944 ? S 13:28 0:00 [proftpd]
    nobody 9672 0.0 2.3 17504 12128 ? S 13:29 0:00 [httpd]
    nobody 9674 0.0 2.3 17440 11832 ? S 13:29 0:00 [httpd]
    nobody 9675 0.0 2.3 17440 11832 ? S 13:29 0:00 [httpd]
    nobody 9676 0.0 2.3 17440 11832 ? S 13:29 0:00 [httpd]
    nobody 9677 0.0 2.3 17468 11868 ? S 13:29 0:00 [httpd]
    nobody 9682 0.0 2.3 17440 11840 ? S 13:29 0:00 [httpd]
    nobody 9683 0.0 2.3 17440 11832 ? S 13:29 0:00 [httpd]
    root 9693 0.0 0.1 1596 724 ? S 13:30 0:00 [crond]

    Which is much different to any other kernel we've had. No problems so far. :D
     
  16. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Yea we had the same problems, although the processes looked like that for a bunch of other services.

    Mike
     
  17. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    What kind of problems? Is this a dual pentium box? Anything below 27.7.x has the local root exploit going so i would probably upgrade to another kernel if you are having problems, probably compile it from source.
     
  18. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    Hello

    Name, httpd, mysql and chilisoft are all zombied except for the parent process. I don't feel comforable having those services run that way.

    Does anybody have information on how to compile the kernel by source?

    How come cpanels kernel check script does not warn us of the vulnerable kernel?

    Thanks
    Mike
     
  19. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
    I thought that display was part of the new httpd output!

    Those are not indicating zombies.
     
  20. Sash

    Sash Well-Known Member

    Joined:
    Feb 18, 2003
    Messages:
    252
    Likes Received:
    0
    Trophy Points:
    16
    What are they indicating? Why would they appear after a kernel upgrade?

    Mike
     

Share This Page