FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 02-07-2011, 05:47 PM
cornel panceac
 
Default Is there a Centos 3 around ?

2011/2/7 Nicolas Ross <rossnick-lists@cybercat.ca>

mds5um has been tempered with also... It return those expected values, but a
md5sum programm I took elsewhere was returning another value...


not all md5sum programs are the same, check several programs before deciding what's next.*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-07-2011, 06:35 PM
Tru Huynh
 
Default Is there a Centos 3 around ?

On Mon, Feb 07, 2011 at 01:06:56PM -0500, Nicolas Ross wrote:
> Hi !
>
> I think one of my machine got hacked, but I can figure out from where...
>
> I found some suspicious file in /bin and /usr/bin directories that are owned
> by user id 122, where this machine doesn't a userid 122.
>
> So, does anyone hav a centos 3.9 install arround that can send me the info
> about (filesize, md5, modification date) these file :

3.9 is still available on all the mirrors, you can rpm2cpio and compare
(watch out for prelinked files) or try the rpm --verify flag (if the
rpm database is not modified).

Tru
--
Tru Huynh (mirrors, CentOS i386/x86_64 Package Maintenance)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-07-2011, 06:39 PM
"Nicolas Ross"
 
Default Is there a Centos 3 around ?

> On 02/07/11 10:06 AM, Nicolas Ross wrote:
>> I found some suspicious file in /bin and /usr/bin directories that are
>> owned
>> by user id 122, where this machine doesn't a userid 122.
>>
>
> oh. get and run rkhunter. preferably do it on read only media via
> another system.

Ok, good tool, and good call...

I've took the chance to run it from that machine. So, it found some
suspicious files and some parts of some rootkits, SHV5 namely.

So, that machine was scheduled to be replaced soon, so It'll be sooner than
later...

In the mean time, I'll check what I can salvage from the 3.9 repos.

Thanks,

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-07-2011, 10:27 PM
Benjamin Smith
 
Default Is there a Centos 3 around ?

On Monday, February 07, 2011 10:21:18 am Nicolas Ross wrote:
> mds5um has been tempered with also... It return those expected values, but
> a md5sum programm I took elsewhere was returning another value...

Once you've been hacked, you can't trust the core utilities (ls /
md5sum/cd/etc) You can't trust the kernel interfaces that these core utilities
use, nor can you reliably remove the kernel modules used to interfere with
normal operations, since the interfaces within the kernel may themselves be
cloaking the hackinstall kernel modules!

The only way to deal with this scenario and get anything resembling a correct
answer is to mount the drive in userspace, noexec on another, trusted system.
If downtime is a concern you *might* be able to use dd and copy the disk
partition to another drive in the middle of the night and then check out the
drive offline - that would probably work fine.

But realize that until you do this, you can have no trust whatsoever in that
computer, change passwords, delete/change private SSH keys, etc. and anything
you do from here on out will be forensics to:

A) Determine just how far they got in (did they get access to other systems?)

B) Figure out how to best transfer services to a new, updated system and
update security so that the bad guys can't just walk back in with prior
knowledge.

BTW: you should basically NEVER run an EOL'd system, regardless of the O/S. An
unpatched server is a pretty much a guaranteed hack incident waiting to
happen.

Good luck!

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-07-2011, 11:00 PM
JohnS
 
Default Is there a Centos 3 around ?

On Mon, 2011-02-07 at 15:27 -0800, Benjamin Smith wrote:

> A) Determine just how far they got in (did they get access to other systems?)

All the bad stuff only resided in Volatile Memory and you Erased it when
you shut down the machine and forgot to copy the Memory.

:-)

John

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 02-08-2011, 01:23 AM
allan
 
Default Is there a Centos 3 around ?

Niccolas,
I agree with John. rkhunter is your friend!
I set up all my servers to run nightly with weekly updates.
Peace,
Allan

John R Pierce wrote:
> On 02/07/11 10:06 AM, Nicolas Ross wrote:
>> I found some suspicious file in /bin and /usr/bin directories that are owned
>> by user id 122, where this machine doesn't a userid 122.
>>
>
> oh. get and run rkhunter. preferably do it on read only media via
> another system.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org