?
Solved

Just Been Hacked! Mironov Backdoor on Linux 2.4.x - proftpd exploit - How do I .... See below

Posted on 2005-03-05
12
Medium Priority
?
1,470 Views
Last Modified: 2008-01-09
Hi - well if you've read the header you'll know I've had one of our Linux servers hacked by someone called "Mironov" and it's possibly due to the exploit in PROFTPD. There are files in the /tmp folder... one called 'miro' (executable) and a new directory containing some stuff. Has anyone had this attack before and if so is there a way to easily clean it up and patch the PROFTPD package to get it sorted?

This particular server has more than 200 websites on it, so I'm quite desperate to clean it rather than having to rebuild it.

Can anyone help with this please?

Mucho appreciated - looking forward to your answers.

Chris
0
Comment
Question by:kenwardc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13469655
hmm, all ftp servers have their vulnerabilities, since dozent of years, and they never get fixed proper, unfortunately
FTP is obsolete in current networks. Replace it with ssh/scp.

Said this we can focus on the backdoor.
Check with
   netstat -an
which ports are open (LISTEN), then with
   netstat -pan
which process has it open (for those which are not usual, like httpd)
0
 

Author Comment

by:kenwardc
ID: 13471430
Done that. Found that the system was listening on 8859 and discovered it was setup by Mironov to listen on that address. Whether it was sending or receiving, or how he gets into the box, is something I do not know.

I have so far:
1. Updated ProFTPd to the latest version.
2. Rebooted the box into single user mode and changed the root password
3. Removed the file 'miro' from the /tmp directory
4. Deleted a directory called .orbit* and all its sub folders

Not sure what else he would have infected. So far it looks OK and nothing has come back looking as though he has managed to once again get onto the box, so fingers crossed.

So - anyone know of this hack and definitively how to get rid of it?

Regards
Chris
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13471488
did you check with netstat -pan which process was listening?

use find to find the files your removed all over your disks

> .. or how he gets into the box,  ..
are you secured with a proper firewall? Then it most likely came in through a vulnerable web application.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:kenwardc
ID: 13471516
Hi ahoffmann

No - he used a hole in proftpd to get into the server. Then set himself up as root, changed the root password, then put these files on the computer. Yes - as I said, the computer was listening on port 8859 which was HIS port.

Regards
Chris
0
 

Author Comment

by:kenwardc
ID: 13471553
Sorry - YES - the whole server is protected by a firewall, but because the customers need access via FTP this was the problem
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13471674
oops, you said that proftp was the hole.
noone needs ftp, except attackers to gain access ;-)
0
 

Author Comment

by:kenwardc
ID: 13471684
Problem is that on our servers we do not use control panel access for customers to update their websites so we allow FTP to the server from anywhere. Are you suggesting there is another way?

Regards
Chris
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13472010
ssh/scp
0
 

Author Comment

by:kenwardc
ID: 13472257
SCP? Don't know what this is?
0
 
LVL 40

Accepted Solution

by:
jlevie earned 1200 total points
ID: 13472679
You can mitigate potential security risks with FTP by making sure that you are always using the current version of proftp and by setting proftp up to use non-linux accounts for access. When proftp operates in that mode it runs as an un-privileged user (usually nobody), which makes it difficult for an attacker to do anything meaningful. As long as your proftp server doesn't contain a root exploit vulnerability it is pretty safe. A web server that hosts lots of sites that customers update is probably safer when run in this mode than when users have ssh/scp access. In general, there are more times that a vulnerability may exist that can only be exploited from within the server than externally. And there's certainly less to worry about if external users only have access through FTP or HTTP.

I don't know what Linux you are using on this box, but one of the advantages of a commercial Linux as opposed to the free ones is the support that's available in terms of timely and easy updates. Something to consider...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13474433
good point jlevie
an "copy-only" solution is already there:
  http://www.pizzashack.org/rssh/
  http://sublimation.org/scponly/
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 300 total points
ID: 13485755
Unfortunately, because the 'attacker' has gained root access, you cannot guarantee the integrity of your system. Realistically, the best thing is to reinstall.

For future use you may wish to look at applications like tripwire that give you advance warning that critical or key files have been altered. In that case, you can restore from a known good backup from prior to the intrusion.

Sorry:(
0

Featured Post

What is a Denial of Service (DoS)?

A DoS is a malicious attempt to prevent the normal operation of a computer system. You may frequently see the terms 'DDoS' (Distributed Denial of Service) and 'DoS' used interchangeably, but there are some subtle differences.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question