Just Been Hacked! Mironov Backdoor on Linux 2.4.x - proftpd exploit - How do I .... See below

Hi - well if you've read the header you'll know I've had one of our Linux servers hacked by someone called "Mironov" and it's possibly due to the exploit in PROFTPD. There are files in the /tmp folder... one called 'miro' (executable) and a new directory containing some stuff. Has anyone had this attack before and if so is there a way to easily clean it up and patch the PROFTPD package to get it sorted?

This particular server has more than 200 websites on it, so I'm quite desperate to clean it rather than having to rebuild it.

Can anyone help with this please?

Mucho appreciated - looking forward to your answers.

Chris
LVL 1
Chris KenwardDirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ahoffmannCommented:
hmm, all ftp servers have their vulnerabilities, since dozent of years, and they never get fixed proper, unfortunately
FTP is obsolete in current networks. Replace it with ssh/scp.

Said this we can focus on the backdoor.
Check with
   netstat -an
which ports are open (LISTEN), then with
   netstat -pan
which process has it open (for those which are not usual, like httpd)
0
Chris KenwardDirectorAuthor Commented:
Done that. Found that the system was listening on 8859 and discovered it was setup by Mironov to listen on that address. Whether it was sending or receiving, or how he gets into the box, is something I do not know.

I have so far:
1. Updated ProFTPd to the latest version.
2. Rebooted the box into single user mode and changed the root password
3. Removed the file 'miro' from the /tmp directory
4. Deleted a directory called .orbit* and all its sub folders

Not sure what else he would have infected. So far it looks OK and nothing has come back looking as though he has managed to once again get onto the box, so fingers crossed.

So - anyone know of this hack and definitively how to get rid of it?

Regards
Chris
0
ahoffmannCommented:
did you check with netstat -pan which process was listening?

use find to find the files your removed all over your disks

> .. or how he gets into the box,  ..
are you secured with a proper firewall? Then it most likely came in through a vulnerable web application.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Chris KenwardDirectorAuthor Commented:
Hi ahoffmann

No - he used a hole in proftpd to get into the server. Then set himself up as root, changed the root password, then put these files on the computer. Yes - as I said, the computer was listening on port 8859 which was HIS port.

Regards
Chris
0
Chris KenwardDirectorAuthor Commented:
Sorry - YES - the whole server is protected by a firewall, but because the customers need access via FTP this was the problem
0
ahoffmannCommented:
oops, you said that proftp was the hole.
noone needs ftp, except attackers to gain access ;-)
0
Chris KenwardDirectorAuthor Commented:
Problem is that on our servers we do not use control panel access for customers to update their websites so we allow FTP to the server from anywhere. Are you suggesting there is another way?

Regards
Chris
0
ahoffmannCommented:
ssh/scp
0
Chris KenwardDirectorAuthor Commented:
SCP? Don't know what this is?
0
jlevieCommented:
You can mitigate potential security risks with FTP by making sure that you are always using the current version of proftp and by setting proftp up to use non-linux accounts for access. When proftp operates in that mode it runs as an un-privileged user (usually nobody), which makes it difficult for an attacker to do anything meaningful. As long as your proftp server doesn't contain a root exploit vulnerability it is pretty safe. A web server that hosts lots of sites that customers update is probably safer when run in this mode than when users have ssh/scp access. In general, there are more times that a vulnerability may exist that can only be exploited from within the server than externally. And there's certainly less to worry about if external users only have access through FTP or HTTP.

I don't know what Linux you are using on this box, but one of the advantages of a commercial Linux as opposed to the free ones is the support that's available in terms of timely and easy updates. Something to consider...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ahoffmannCommented:
good point jlevie
an "copy-only" solution is already there:
  http://www.pizzashack.org/rssh/
  http://sublimation.org/scponly/
0
pjedmondCommented:
Unfortunately, because the 'attacker' has gained root access, you cannot guarantee the integrity of your system. Realistically, the best thing is to reinstall.

For future use you may wish to look at applications like tripwire that give you advance warning that critical or key files have been altered. In that case, you can restore from a known good backup from prior to the intrusion.

Sorry:(
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.