Re: Security Breach ?

[Aleksandar Milivojevic <amilivojevic pbl ca>]

Chris Strzelczyk wrote:
> Hello,
>
> Upon checking my MRTG stats on a webserver I am running I found my 
> traffic to be up considerably and the server
> to be a bit slow.  After taking a look at my active connections to 
> processes with netstat -nap I found these to be scary:
>
> tcp        0      0 204.11.33.35:37326          161.53.2.81:6667        
>     ESTABLISHED 16035/-bash

Login shell connected to IRC server?  Not likely.  Are users allowed to 
login to this machine?  If they are, it might be some regular user who 
installed eggdrop or some similar IRC bot, and named it "-bash" in an 
naive attempt to hide it.

To find out who is running it, try out:

   ps -ef | grep 16035

Or to see what files the process currently keeps open (might help to 
find where the binary is located):

   lsof -p 16035

Try to nail down the user who is running it, and contact him to confirm 
that he did that.  If you can't confirm, or user is unaware that IRC bot 
is running under his account, chances are somebody broke into the machine.

If users are not allowed to have shell accounts on the machine, most 
likely somebody broke to your machine and installed IRC bot waiting for 
remote commands from some IRC channel.

As for rootkit checking tools, they are not always efficient in 
detecting root kits.  Especially when kernel modules are used to hide 
them.  In that case, you might need to boot from Rescue CD to really see 
what you have on the disk...  Althoug, if you are able to see that 
"-bash" process with netstat, most likely there's no kernel module 
installed (on the other hand, it might be lousy written module that 
doesn't manage to hide everything).

--
Aleksandar Milivojevic <amilivojevic pbl ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7