exim4 router problems since 2 days / sucpicous process "zinit" is pstree

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thorsten Göllner
Hi,

I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
mails. I always get the message, that the mail is not routeable. I only
used "dpkg-reconfigure exim4-config" without touching one config file by
hand. I detected a log message (panic log) which says, that there was a
"too large message". Since that point exim4 stopped working.

The other point is that pstree reports a process "zinit" I never saw in
the past:
(see last line of output)

# pstree -A
init-+-acpid
      |-apache2---17*[apache2]
      |-atd
      |-cron
      |-exim4
      |-6*[getty]
      |-inetd
      |-mysqld_safe-+-logger
      |             `-mysqld---41*[{mysqld}]
      |-ntpd---ntpd
      |-portmap
      |-python
      |-rpc.statd
      |-rsyslogd---3*[{rsyslogd}]
      |-sensord
      |-smartd
      |-sshd---sshd---sshd---bash---su---bash---pstree
      |-udevd
      `-zinit---{zinit}

I found it here:
# ls -lah /sbin/zinit
-rwxr-x--x 1 root root 1.9M 2008-08-12 16:09 /sbin/zinit

But I do not have any idea what it is. And I can not see the process
with "ps":

# ps aux | grep zinit
root      5125  0.0  0.0   3120   708 pts/0    R+   12:00   0:00 grep zinit

/* output of exim4 test */
===========================
# exim4 -d -bt [hidden email]
Exim version 4.69 uid=0 gid=0 pid=4981 D=fbb95cfd
Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007)
Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb
dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
changed uid/gid: forcing real = effective
   uid=0 gid=0 pid=4981
   auxiliary group list: <none>
configuration file is /etc/exim4/exim4.conf
log selectors = 00000ffc 00210001
trusted user
admin user
originator: uid=0 gid=0 login=root name=root
sender address = [hidden email]
Address testing: uid=0 gid=103 euid=0 egid=103
 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Testing [hidden email]
 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Considering [hidden email]
 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
routing [hidden email]
no more routers
[hidden email] is undeliverable: Unrouteable address
search_tidyup called
 >>>>>>>>>>>>>>>> Exim pid=4981 terminating with rc=2 >>>>>>>>>>>>>>>>

Do I have a security issue here? Any other idea?

Thank you in advance,
-Thorsten-


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0B42C5.9040707@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

mailing@securitylabs.it
On 17/12/2010 12:00, Thorsten Göllner wrote:
> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I
> only used "dpkg-reconfigure exim4-config" without touching one config
> file by hand. I detected a log message (panic log) which says, that
> there was a "too large message". Since that point exim4 stopped working.
>

Have you upgraded the exim package to the last  version?

http://www.debian.org/security/2010/dsa-2131


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0B45AD.5070302@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Vladislav Kurz
In reply to this post by Thorsten Göllner
On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer
owerflows that can lead to root privileges. (Sorry for simplification, full
details are on exim mailing list).
 
> The other point is that pstree reports a process "zinit" I never saw in
> the past:
>
> <snip>
>
> But I do not have any idea what it is. And I can not see the process
> with "ps":
>

If pstree shows zinit and ps does not, it might mean that you are already
rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide
the presence of rootkit named zinit.

> Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

--
Regards
        Vladislav Kurz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201012171235.51130.vladislav.kurz@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Carlos Alberto Lopez Perez
In reply to this post by Thorsten Göllner
On 12/17/2010 12:00 PM, Thorsten Göllner wrote:

> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.
>
> The other point is that pstree reports a process "zinit" I never saw in the
> past:
> (see last line of output)
>
> # pstree -A
> init-+-acpid
>      |-apache2---17*[apache2]
>      |-atd
>      |-cron
>      |-exim4
>      |-6*[getty]
>      |-inetd
>      |-mysqld_safe-+-logger
>      |             `-mysqld---41*[{mysqld}]
>      |-ntpd---ntpd
>      |-portmap
>      |-python
>      |-rpc.statd
>      |-rsyslogd---3*[{rsyslogd}]
>      |-sensord
>      |-smartd
>      |-sshd---sshd---sshd---bash---su---bash---pstree
>      |-udevd
>      `-zinit---{zinit}
>
> I found it here:
> # ls -lah /sbin/zinit
> -rwxr-x--x 1 root root 1.9M 2008-08-12 16:09 /sbin/zinit
>
> But I do not have any idea what it is. And I can not see the process with
> "ps":
>
> # ps aux | grep zinit
> root      5125  0.0  0.0   3120   708 pts/0    R+   12:00   0:00 grep zinit
>

Try first to identify the package the file belongs to:

# dpkg -S /sbin/zinit

If no package is found then most probably your machine were compromised
(using the exim exploit [1] )and you should delete the zinit file
immediately and do a detailed audit of your machine security.

You can check if zinit is listening in any port

# netstat -anp | grep zinit

And try to connect to the port with telnet/netcat to see what is happening
there.


If the file belongs to a package then you can check the integrity of the
file with debsums

# debsums packagename


----------
[1] http://seclists.org/fulldisclosure/2010/Dec/222


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Carlos Alberto Lopez Perez
In reply to this post by Vladislav Kurz
On 12/17/2010 12:35 PM, Vladislav Kurz wrote:

> On Friday 17 of December 2010, Thorsten Göllner wrote:
>> Hi,
>>
>> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
>> mails. I always get the message, that the mail is not routeable. I only
>> used "dpkg-reconfigure exim4-config" without touching one config file by
>> hand. I detected a log message (panic log) which says, that there was a
>> "too large message". Since that point exim4 stopped working.
>
> The last exploit of exim4 is based on too large messages causing buffer
> owerflows that can lead to root privileges. (Sorry for simplification, full
> details are on exim mailing list).
>  
>> The other point is that pstree reports a process "zinit" I never saw in
>> the past:
>>
>> <snip>
>>
>> But I do not have any idea what it is. And I can not see the process
>> with "ps":
>>
>
> If pstree shows zinit and ps does not, it might mean that you are already
> rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide
> the presence of rootkit named zinit.
Good point.

Try to check the md5sum of ps:

# apt-get install debsums
# debsums procps

>
>> Do I have a security issue here? Any other idea?
>
> IMHO yes, you have a security issue.
>



signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Paul Stewart-2
In reply to this post by Vladislav Kurz
I have a question related to this security announcement and hope it's
appropriate to ask here...

I just recently installed a couple of machines with Debian 5 using
netinstall.  They are running Exim which reports as 4.69 in the banner.

I have ran aptitude update/upgrade and not seeing anything new for Exim - am
I safe to assume I'm up to date and not vulnerable to this security issue?
Sorry, just started using Debian - been at least 5 years since I ran it and
wanted to make sure....

Thanks,
Paul



-----Original Message-----
From: Vladislav Kurz [mailto:[hidden email]]
Sent: December-17-10 6:36 AM
To: [hidden email]
Subject: Re: exim4 router problems since 2 days / sucpicous process "zinit"
is pstree

On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer
owerflows that can lead to root privileges. (Sorry for simplification, full
details are on exim mailing list).
 
> The other point is that pstree reports a process "zinit" I never saw in
> the past:
>
> <snip>
>
> But I do not have any idea what it is. And I can not see the process
> with "ps":
>

If pstree shows zinit and ps does not, it might mean that you are already
rooted (owned, hacked, cracked, etc), and your ps binary was modified to
hide
the presence of rootkit named zinit.

> Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

--
Regards
        Vladislav Kurz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact
[hidden email]
Archive:
http://lists.debian.org/201012171235.51130.vladislav.kurz@...


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/002a01cb9de3$00f14520$02d3cf60$@org

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Vladislav Kurz
In reply to this post by Carlos Alberto Lopez Perez
On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote:

> On 12/17/2010 12:35 PM, Vladislav Kurz wrote:
> > On Friday 17 of December 2010, Thorsten Göllner wrote:
> >> Hi,
> >>
> >> The other point is that pstree reports a process "zinit" I never saw in
> >> the past:
> >>
> >> <snip>
> >>
> >> But I do not have any idea what it is. And I can not see the process
> >
> >> with "ps":
> > If pstree shows zinit and ps does not, it might mean that you are already
> > rooted (owned, hacked, cracked, etc), and your ps binary was modified to
> > hide the presence of rootkit named zinit.
>
> Good point.
>
> Try to check the md5sum of ps:
>
> # apt-get install debsums
> # debsums procps
>

just for reference - md5sum of /bin/ps on i386/lenny
(checked from freshly downloaded package)

a6094706266c8ec3b068cf964824afee  /bin/ps

--
Regards
        Vladislav Kurz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201012171317.52933.vladislav.kurz@...

Reply | Threaded
Open this post in threaded view
|

RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Eduardo M KALINOWSKI-4
In reply to this post by Paul Stewart-2
On Sex, 17 Dez 2010, Paul Stewart wrote:
> I have a question related to this security announcement and hope it's
> appropriate to ask here...

This list is for it, but you should have started a new thread instead  
of hijacking an existing one.

> I just recently installed a couple of machines with Debian 5 using
> netinstall.  They are running Exim which reports as 4.69 in the banner.
>
> I have ran aptitude update/upgrade and not seeing anything new for Exim - am
> I safe to assume I'm up to date and not vulnerable to this security issue?
> Sorry, just started using Debian - been at least 5 years since I ran it and
> wanted to make sure....

Make sure you are running version 4.69-9+lenny1 (of the package, not  
the banner). This version has the patch to fix the issue.


--
The fact that boys are allowed to exist at all is evidence of a remarkable
Christian forbearance among men.
                -- Ambrose Bierce

Eduardo M KALINOWSKI
[hidden email]


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20101217104346.44387kgc16pjv3ls@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Vladislav Kurz
In reply to this post by Paul Stewart-2
On Friday 17 of December 2010, Paul Stewart wrote:

> I have a question related to this security announcement and hope it's
> appropriate to ask here...
>
> I just recently installed a couple of machines with Debian 5 using
> netinstall.  They are running Exim which reports as 4.69 in the banner.
>
> I have ran aptitude update/upgrade and not seeing anything new for Exim -
> am I safe to assume I'm up to date and not vulnerable to this security
> issue? Sorry, just started using Debian - been at least 5 years since I
> ran it and wanted to make sure....

If you have enabled the security updates repository then you should be OK.
Check your /etc/apt/sources.list if it contains this line:

deb http://security.debian.org/ lenny/updates main contrib non-free

And check version of exim4 using "dpkg -l exim*". It should be: 4.69-9+lenny1.

--
Regards
        Vladislav Kurz


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/201012171345.33508.vladislav.kurz@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thorsten Göllner
In reply to this post by Thorsten Göllner

Am 17.12.2010 14:01, schrieb Vladislav Kurz:

> On Friday 17 of December 2010, you wrote:
>> Am 17.12.2010 13:49, schrieb Vladislav Kurz:
>>> On Friday 17 of December 2010, you wrote:
>>>> Am 17.12.2010 13:17, schrieb Vladislav Kurz:
>>>>> On Friday 17 of December 2010, Carlos Alberto Lopez Perez wrote:
>>>>>> On 12/17/2010 12:35 PM, Vladislav Kurz wrote:
>>>>>>> On Friday 17 of December 2010, Thorsten Göllner wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> The other point is that pstree reports a process "zinit" I never saw
>>>>>>>> in the past:
>>>>>>>>
>>>>>>>> <snip>
>>>>>>>>
>>>>>>>> But I do not have any idea what it is. And I can not see the process
>>>>>>>> with "ps":
>>>>>>> If pstree shows zinit and ps does not, it might mean that you are
>>>>>>> already rooted (owned, hacked, cracked, etc), and your ps binary was
>>>>>>> modified to hide the presence of rootkit named zinit.
>>>>>> Good point.
>>>>>>
>>>>>> Try to check the md5sum of ps:
>>>>>>
>>>>>> # apt-get install debsums
>>>>>> # debsums procps
>>>>> just for reference - md5sum of /bin/ps on i386/lenny
>>>>> (checked from freshly downloaded package)
>>>>>
>>>>> a6094706266c8ec3b068cf964824afee  /bin/ps
>>>> Thanks! My package matches.
>>> Hmm, that's strange, cause if it's hacked, it shouldn't match.
>>> Maybe even md5sum is hacked.
>>>
>>> Please download procps, and md5sum on some clean computer, get them on
>>> the problem machine, preferably on CD or some other non-writable media
>>> and run those clean binaries.
>>>
>>> Or if you can take your server down, reboot from any live-CD and check
>>> md5sums again, using md5sum from live-cd.
>> Uh! OK, I now do not have really a chance to access the box (too far
>> away). Coudl you give me this from your box?
>> # shasum /bin/ps
>> 234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps
> its the same:
> 234bba6212ca0cee9718bd74316d7c81e5e0b570  /bin/ps
>
> hmmmm, maybe the rootkit did not modify ps, but some system call that is used
> by ps. Is it still so that "ps ax" does not show zinit and pstree does? what
> about top?
>
I removed /sbin/zinit and did a reboot. The process is gone and I can
not find out more about it now, sorry.

So my "big" last ciritical question is "Shall I reinstall":
- /usr/bin/md5sum seems to be ok
- all installed packages are checked via debsums (maybe the local
md5-databse has been manipulated? Can I update this database via dpkg?)
- zinit is gone
- no suspicious listening process can be found. A portscan is fine.
- /etc/passwd is ok
- Passwords were changed
- iptables -L is fine
- chkrootkit is fine (running from running system NOT from LiveCD)

Hard to say ...




--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0B627F.4070501@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Michael Cassano-2

So my "big" last ciritical question is "Shall I reinstall":


Why not reinstall?  What if something is hiding that you forgot to check?  What if your binaries are modified in a way that it's making it hard for you to guarantee they aren't modified?

No question, reinstall.

Mike

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Izak Burger
> No question, reinstall.

I agree, this is a root exploit, and once you have root you can pretty
much hide anything you want.

On a side note, the patch even applies cleanly on older versions of
exim (such as 4.63), so if you're stuck with an older exim for
whatever reason (like I am), its easy enough to patch.

Cheers,
Izak


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/AANLkTik182-iXdK44Nzm083z+hA2cDjpbCDx7rOwhx49@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thorsten Göllner


Am 17.12.2010 14:26, schrieb Izak Burger:

>> No question, reinstall.
> I agree, this is a root exploit, and once you have root you can pretty
> much hide anything you want.
>
> On a side note, the patch even applies cleanly on older versions of
> exim (such as 4.63), so if you're stuck with an older exim for
> whatever reason (like I am), its easy enough to patch.
>
> Cheers,
> Izak
>

Your are (both) right. I will reinstall.

Thank you all for your help!


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0B692B.2000104@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Scott Edwards
>> I agree, this is a root exploit, and once you have root you can pretty
>> much hide anything you want.

>>>
>>> No question, reinstall.

Depending on your scope,
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html still
has some value.  It sounds as though you'll probably be fine with a
reinstall (nuke from orbit, of trusted media).

If you use anything from backups, be cautious of any content after any
trusted time. Eg, when you know it wasn't an issue, not just think it
wasn't an issue. You don't want to introduce a weakness the attacker
left some place else (like a database password, misc settings, etc).

Good luck :)

Scott.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/AANLkTik7+iHfwVFG1VMQfv2q+KBkiw+HGTNfMptvVtyV@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Izak Burger
In reply to this post by Thorsten Göllner
On Fri, Dec 17, 2010 at 3:44 PM, Thorsten Göllner <[hidden email]> wrote:
> Your are (both) right. I will reinstall.

What would be really nice though, is if you could do some kind of
post-mortem. I am always curious to know the techniques of the
black-hats, makes for nice war-stories around the camp fire :-)

Unfortunately the incidents I know are rather simple: Weak password
that led to someone installing an irc bouncer, which he renamed to
"bash" so that it would not look out of place in a process listing,
and a bug in a php-based webhosting package that allowed some turkish
hackers to deface a bunch of websites. Nothing exciting ...


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/AANLkTinc3tak5XFaha+YHynv0B9-eYai=fHvPfvd63L5@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thomas Krichel
  Izak Burger writes

> Nothing exciting ...

  If you need excitement come over here. I had a box infected
  by the DSA-2131 vulnerabilty. It wouldn't resinstall psutils,
  griping not having permission to cp /bin/ps or somethnig.
  I copied chattr from another box, nebka, with the same architecture.

  Then I did

chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps

  for all every binary (here ps) procps did succesively complain
  it could not install. This solved the issue after a whole
  bunch of iterations.


  Cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                http://authorclaim.org/profile/pkr1
                                               skype: thomaskrichel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20101218135042.GA11706@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Andrew McGlashan
Thomas Krichel wrote:
> chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps

So, in effect, did you possibly give away your root password or pass
phrase key for the netbka machine?

I wouldn't be that trusting, you already know you were compromised --
best to re-install clean if you ask me.

In the Windows world, my advice is the same, no matter how well you
clean things, there is always the possibility that something nasty will
remain undetected; it isn't worth that risk IMHO.

Cheers

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0CBDDD.2060001@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Thomas Krichel
  Andrew McGlashan writes

> Thomas Krichel wrote:
> >chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps
>
> So, in effect, did you possibly give away your root password or pass
> phrase key for the netbka machine?

  Yup. After killing the "dropbear" process.

> I wouldn't be that trusting,

  I wouldn't be either, but what is man to do who is
  not a security expert to do?

> you already know you were compromised
> -- best to re-install clean if you ask me.

  yeah, but I have no physical access to the infected
  box and must keep its data. I reinstalled all the
  packages. psutils was the one that got aptitude
  stymied.


  Cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                http://authorclaim.org/profile/pkr1
                                               skype: thomaskrichel


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/20101218140403.GA11875@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Andrew McGlashan
Thomas Krichel wrote:
>   Andrew McGlashan writes
>
>> Thomas Krichel wrote:
>>> chattr -sia /bin/ps ; scp root@nebka:/usr/bin/ps /usr/bin/ps ; sudo apt-get -y install --reinstall procps
>> So, in effect, did you possibly give away your root password or pass
>> phrase key for the netbka machine?
>
>   Yup. After killing the "dropbear" process.

Perhaps it would have been better to work from from a non-infected
machine; do the scp of such files .... or better still just backup the data.

nebka:# scp -p /usr/bin/ps root@infected-machine:/usr/bin/ps

and/or

nebka:# scp -pr /saved-data-dir root@infected-machine:/data-dir

rsync might be an option too...

Perhaps even use a live-cd or work in a chroot to offer as much
protection as possible for the non-infected machine.

You've also got to hope that scp or any other programs/binaries you rely
on themselves aren't infected on the compromised machine in a way that
might cause further issues.

>> I wouldn't be that trusting,
>
>   I wouldn't be either, but what is man to do who is
>   not a security expert to do?
>
>> you already know you were compromised
>> -- best to re-install clean if you ask me.
>
>   yeah, but I have no physical access to the infected
>   box and must keep its data. I reinstalled all the
>   packages. psutils was the one that got aptitude
>   stymied.

If you have no physical access, do you have a way to nuke and
re-install?  Is it VPS or similar?

Something I've discovered as a really good feature of HP's iLO is the
ability to mount an ISO from a local / trusted source and boot a machine
remotely using the virtually mounted CD/DVD -- that gives you a whole
new level of access without the need for actual physical access.  You
can work with a console remotely too in this case.  Once it is running,
you could install ssh server, set a password and use it in a more
traditional way.  Of course, it won't help if the machine doesn't have
iLO or is a VPS itself -- but there might be similar methods with a VPS.

Oh and HP's iLO might need an "advanced" license for virtual media to
work, not sure about that yet.  I picked up a nice DL380 G4 with the
advanced iLO license already installed.

Cheers

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0CC44E.7050002@...

Reply | Threaded
Open this post in threaded view
|

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

Andrew McGlashan
Andrew McGlashan wrote:
> nebka:# scp -pr /saved-data-dir root@infected-machine:/data-dir

Umm, correction....

scp -pr root@infected-machine:/data-dir /saved-data-dir

> Oh and HP's iLO might need an "advanced" license for virtual media to
> work, not sure about that yet.  I picked up a nice DL380 G4 with the
> advanced iLO license already installed.

Yep, the virtual media is an advanced license feature, just looked up
the manuals (PDF search).  Sure is handy though.

Cheers

--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]
Archive: http://lists.debian.org/4D0CC70B.70401@...

12