netbsd-help: Re: system possibly compromised

Subject: Re: system possibly compromised
To: None <rgfisch@excite.com, netbsd-help@netbsd.org>
From: Gary Thorpe <gathorpe79@yahoo.com>
List: netbsd-help
Date: 02/24/2004 17:17:27

 --- Roger Fischer <rgfisch@excite.com> wrote: > 
> How can I determine if a root-kit has been installed or my system has
> been
> compromised in some other way?
> My ISP  sent me an email about spam comming from my IP address, and I
> also got
> some emails about mail that could not be delivered (that I had not
> sent).
> 
> My ipf firewall only has ports 22 and 25 open.
> The processes that have me concerned are:
> 
>     13252   296   296 9a1f80    0 I    ??   0:00.01 /USR/SBIN/CRON
> (cron)
>     13255 13252 13255 a10180    0 ZW   ??   0:00.00 (sh)
>     13266 13252   296 9a1f80    0 I    ??   0:00.07 sendmail
> -FCronDaemon -odi -oem -oi -or0s -t
>     13268 13266   296 9a1f80    0 I    ??   0:00.05 postdrop
> process_name
> 
> When I try to kill 13255 or 13266 I get a message that the process
> does not exist.
> I finally killed 13252 which killed the rest.
> 
> I did a find looking for a CRON (in caps) and turned up nothing.
> I've looked for hidden directories and haven't found anything.
> 
> If somebody has been in here, what's the best way to recover?
> NetBSD 1.6.1, i386.  Full process list is below.
> 
> thanks,
>        - rgf
> =================
..
> root      296     1   296 9a1f80    0 Ss   ??   0:12.49
> /usr/sbin/cron
> root    13252   296   296 9a1f80    0 I    ??   0:00.01
> /USR/SBIN/CRON (cron)

Somebody has probably already pointed this out: it seems the fake cron
is started from the real one, so the kit probably involves your real
crontab. The name of the executable displayed can be changed I think,
so it won't be so straightforward. However, you can start with the
crontab(s) or the cron executable itself.

You can be sure something like a root kit is installed, because NetBSD
(or most unixes) will not by default create directories with uppercase
e.g. /USR/SBIN won't exist unless you go out of your way to create it.
Preventing it is too late, so I hope others can suggest other ways to
find the kit's components.

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca