Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


311 posts

Ultimate Geek
+1 received by user: 3


Topic # 57196 5-Feb-2010 14:25
Send private message

Hi,


I have a server that has been hacked and it's running a perl irc bot.
I know the PID but ps gives a forged program name and top shows only perl.
I tried running ps to show child/parent relationships but that program shows no parent.


lsoff shows only dependend libraries that perl opened, netstat -antlp shows the forged program name.
/proc/$PID shows only perl and nothing relevant.


Any ideas on how to find it? I searched for all possible queries on google but I'm running out of ideas.


clamav doesn't detect anything.


Thanks.

Create new topic
854 posts

Ultimate Geek
+1 received by user: 53

Subscriber

  Reply # 296454 5-Feb-2010 16:36
Send private message

You wont be able to rely on anything (possibly even the kernel itself).

My own response would be to power the server down, fresh install on a separate drive then mount the original drive elsewhere and go from there. Other-ways involve using a live CD to do similar.

Basically you need to treat all your binary programs as untrustworthy "ps" itself is probably modified to hide the processes so first step would be to re-install it from a trust worthy source e.g. in debian procps is the package that contains "ps" so I would re-install that. Once you get your "core" utilities from a reliable source, run a root kit detection utility like rkhunter, chkrootkit and let that scan your system and take care of any nasties you find.

Personally I wouldn't trust any system without a fresh install once I think it may have been compromised.



311 posts

Ultimate Geek
+1 received by user: 3


  Reply # 296455 5-Feb-2010 16:44
Send private message

I am aware of that, however, I believe that the program name was changed by simply modifying the argv[0] on the perl script.

It's very similar to this: http://www.hackinglinuxexposed...

However, my lsof lists only:

# lsof -p 22508
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
perl 22508 root cwd DIR 104,2 4096 2 /
perl 22508 root rtd DIR 104,2 4096 2 /
perl 22508 root txt REG 104,2 1061668 1494423 /usr/bin/perl
perl 22508 root mem REG 0,0 0 [heap] (stat: No such file or directory)
perl 22508 root mem REG 104,2 67364 5423190 /lib/tls/i686/cmov/libresolv-2.3.6.so
perl 22508 root mem REG 104,2 17840 5423183 /lib/tls/i686/cmov/libnss_dns-2.3.6.so
perl 22508 root mem REG 104,2 38372 5423184 /lib/tls/i686/cmov/libnss_files-2.3.6.so
perl 22508 root mem REG 104,2 19764 1511474 /usr/lib/perl/5.8.8/auto/Socket/Socket.so
perl 22508 root mem REG 104,2 21868 5423175 /lib/tls/i686/cmov/libcrypt-2.3.6.so
perl 22508 root mem REG 104,2 1241392 5423172 /lib/tls/i686/cmov/libc-2.3.6.so
perl 22508 root mem REG 104,2 89370 5423189 /lib/tls/i686/cmov/libpthread-2.3.6.so
perl 22508 root mem REG 104,2 145136 5423177 /lib/tls/i686/cmov/libm-2.3.6.so
perl 22508 root mem REG 104,2 9592 5423176 /lib/tls/i686/cmov/libdl-2.3.6.so
perl 22508 root mem REG 104,2 15640 1511482 /usr/lib/perl/5.8.8/auto/IO/IO.so
perl 22508 root mem REG 104,2 88164 5406841 /lib/ld-2.3.6.so
perl 22508 root 0u CHR 136,0 2 /dev/pts/0 (deleted)
perl 22508 root 1u CHR 136,0 2 /dev/pts/0 (deleted)
perl 22508 root 2u CHR 136,0 2 /dev/pts/0 (deleted)

Also, in /proc/$PID/fd there are only 3 /dev/pts blocks, so nothing relevant.

It's not my server, I'm just trying to help somebody that wants more information before restoring the OS.

So, if we leave the "hacking" thing aside, let's say you have a perl script that changes it's name with argv[0].

How do you track it down? Assuming the system is legit and clean.

$ perl -e '$0 = "Fake command line"; system "ps -f $$"'
UID PID PPID C STIME TTY STAT TIME CMD
arioch 24403 24126 0 09:59 tty4 S 0:00 Fake command line

Cheers.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04


N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08


Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03


Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27


Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13


Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00


Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12


Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52


Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34


Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


All or Nothing: New Zealand All Blacks arrives on Amazon Prime Video
Posted 2-Jun-2018 16:21


Innovation Grant, High Tech Awards and new USA office for Kiwi tech company SwipedOn
Posted 1-Jun-2018 20:54


Commerce Commission warns Apple for misleading consumers about their rights
Posted 30-May-2018 13:15


IBM leads Call for Code to use cloud, data, AI, blockchain for natural disaster relief
Posted 25-May-2018 14:12


New FUJIFILM X-T100 aims to do better job than smartphones
Posted 24-May-2018 20:17



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.