Did my Linux lab box get hacked?

I have a CentOS box I use for non-critical stuff in the house like house phones on asterisk,  and to play around/learn linux.  Over the weekend, I noticed my home phone server hitting 100% CPU/MEM used.  when I used the "top" command in SSH, I noticed a user "Nagios" killing my resources with the command "w00t" which made me think someone had got me.  The other server was the same but the command was "tester".
Is my box infected or exploited?, and can I save it?

top - 12:53:59 up 23:58,  1 user,  load average: 2.33, 2.37, 2.52
Tasks: 121 total,   2 running, 119 sleeping,   0 stopped,   0 zombie
Cpu(s): 47.3%us,  0.3%sy, 33.9%ni, 13.6%id,  2.1%wa,  2.7%hi,  0.0%si,  0.0%st
Mem:   3893584k total,  3773736k used,   119848k free,     1744k buffers
Swap:   785400k total,   392732k used,   392668k free,    20068k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
25253 nagios    20   0 3475m 3.1g  316 R 198.6 84.6 369:06.17 w00t
    1 root      20   0 19232  368  360 S  0.0  0.0   0:00.59 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
    3 root      RT   0     0    0    0 S  0.0  0.0   0:05.53 migration/0

Open in new window

top - 18:35:10 up  4:28,  1 user,  load average: 3.14, 3.15, 3.35
Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.7%us,  0.5%sy, 97.8%ni,  0.0%id,  0.0%wa,  0.1%hi,  0.0%si,  0.0%
Mem:   1536088k total,   473144k used,  1062944k free,     8704k buffers
Swap:   524280k total,   115948k used,   408332k free,    70516k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
20250 nagios    20   0  470m  10m 1128 S 390.8  0.7 155:58.30 tester
 1465 asterisk  20   0  387m  17m 3148 S  4.0  1.2   1:24.05 httpd

Open in new window

matthewmalk248Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Pasha KravtsovConnect With a Mentor Support EngineerCommented:
Hmm for the time being disable sshd, edit /etc/passwd and remove that user. Kill all the tasks being run by that user and make sure that there aren't any other weird things being ran.
There are two reasons why the user might not be showing up using the 'w' command.
1. He's not currently logged in
2. There is a rootkit on your box and it has that command hooked to not show him.

Use this C program to detect whether there is a rootkit on your machine
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html (great blog)

??? -> http://www.nagios.org/
0
 
Pasha KravtsovSupport EngineerCommented:
Hmm yes it sounds as if you have an malicious user on your box
do 'ps faux' and 'w' then do 'netstat -n' and post the info if you feel comfortable.
0
 
matthewmalk248Author Commented:
ps faux showed some interesting things...

Looks like I have some friends from Singapore playing with my emotions!

nagios    2030  0.0  0.0  39364    88 ?        Ss   14:07   0:03 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d

Open in new window

nagios   20250  377  0.6 482180 10544 ?        Ssl  17:52 241:18 /tmp/tester -o stratum+tcp://multi1.wemineall.com:80 -u weedee.1 -p x --alg

Open in new window


What's kinda wierd, is "Users" only shows me, not this ghost user, and "w" shows only
-bash-4.1# w
 18:58:15 up  4:51,  1 user,  load average: 4.01, 4.03, 3.85
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    MY.IP.ADDRESS    17:07    0.00s  0.01s  0.00s w

Open in new window


And netstat-n..
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:53683             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53666             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53673             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53665             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53677             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53675             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53672             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53680             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53670             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:5038              127.0.0.1:51946             ESTABLISHED
tcp        0      0 127.0.0.1:53674             127.0.0.1:5038              TIME_WAIT
tcp        0     52 MY.SERVERS.IP:22            MY.REMOTED-IN.IP:50462         ESTABLISHED
tcp        0      0 127.0.0.1:53682             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53676             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53687             127.0.0.1:5038              TIME_WAIT
tcp        1      0 MY.SERVERS.IP:5666          180.210.205.209:50903       CLOSE_WAIT
tcp        0      0 127.0.0.1:53664             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53684             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53685             127.0.0.1:5038              TIME_WAIT
tcp        0      0 MY.SERVERS.IP:59670         37.187.28.68:80             ESTABLISHED
tcp        0      0 127.0.0.1:53686             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53678             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53668             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53671             127.0.0.1:5038              TIME_WAIT
tcp        0      0 ::ffff:127.0.0.1:51946      ::ffff:127.0.0.1:5038       ESTABLISHED
tcp        0      0 ::ffff:MY.SERVERS.IP:80     ::ffff:MY.REMOTED-IN.IP:51963  ESTABLISHED

Open in new window

0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
matthewmalk248Author Commented:
looks like port 5666 has been exploited, which I'm guessing is Nagios, so there's a Nagios exploit?
0
 
pony10usCommented:
There is an exploit related to Nagios and NRPE (port 5666).

http://www.opsview.com/whats-new/blog/security-notice-nrpe-exploit
0
 
matthewmalk248Author Commented:
Well this doesn't look good then, I ran that C program to check for userland rootkits..
[+] Checking open syscall.
[+] Checking readdir syscall.
[+] Checking fopen syscall.
[!] Preload hooks dectected!
Libc address: 0x175410
Next address: 0x239330
[+] Checking accept syscall.
[+] Checking access syscall.
[+] Checking unlink syscall.

Open in new window

0
 
Pasha KravtsovSupport EngineerCommented:
damn that's bad.. looks like you have a rootkit installed on your box. Best bet is to reinstall the box and back up your critical files.. When I say backup critical data I mean text files and things like that, nothing that is able to carry a infected code.
0
 
matthewmalk248Author Commented:
Dang! Is there any way to like use rkhunter logs to clean it?
0
 
matthewmalk248Author Commented:
Also, odd note, I ran it again, and everything seemed normal?  Ran a few more times to be sure.  This was after I had deleted the Nagios user from etc/passwd.

]# ./preloadcheck
[+] Checking open syscall.
[+] Checking readdir syscall.
[+] Checking fopen syscall.
[+] Checking accept syscall.
[+] Checking access syscall.
[+] Checking unlink syscall.

Open in new window

0
 
arnoldCommented:
Nagios is a network/system monitoring tool. If you did not install it, that would be a concern, if you had set it up. You may have a check deigned for a host that could have gone wrong what is thesecond system where tester was running?

Without looking at the code, it seems teaser is suppose to monitor a web site an alert presumably if the site is down, or using a extended test, if the content on the page  changed
Often, one places a marker such as an HTML comment, if that comment is missing, an alert that the website "corrupted", compromised.....
0
 
Pasha KravtsovSupport EngineerCommented:
Mathew, that program checks whether a rootkit is actively running on your machine. It makes sense after you killed the malicious user that the rootkit died/isn't running anymore.. a little.. haha well try running ps faux and continue monitoring for issues. If you have anymore feel free to visit my profile and send me an email.
0
 
matthewmalk248Author Commented:
LoL yea , what a wimpy rootkit if it dies when I ran "skill -STOP -u nagios".  I'm going to tighten up the system and monitor it a lot for the next few weeks.  I changed the SSH port, disabled password auth so only using keys now, and set up iptables.  There's nothing life (or credit) threatening on the box, so I'm kind of curious if I can dismantle this infection piece by piece.  Would be kind of cool not having to reset all this stuff up!
0
 
arnoldCommented:
Make sure to update openssl, openssh.  

Did you previously setup nagio? On your system?
0
 
matthewmalk248Author Commented:
No, but I noticed that there's a "nagios" user in /etc/passwd even on a fresh install of this Distro of CentOS 6.5, is that normal?
0
 
Pasha KravtsovSupport EngineerCommented:
Hm sounds like you got something that was vulnerable I'm not sure. Definitly not openssl issues.. lol it's not heartbleed
0
 
Gerwin Jansen, EE MVEConnect With a Mentor Topic Advisor Commented:
tcp://multi1.wemineall.com:80 -> Your CPU is being used to generate some bitcoins for someone
0
 
matthewmalk248Author Commented:
Thanks Gerwin, that's actually a relief! Probably the least malicious thing I can imagine, other than wasting electricity
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.