Solved

Did my Linux lab box get hacked?

Posted on 2014-04-21
17
848 Views
Last Modified: 2014-04-22
I have a CentOS box I use for non-critical stuff in the house like house phones on asterisk,  and to play around/learn linux.  Over the weekend, I noticed my home phone server hitting 100% CPU/MEM used.  when I used the "top" command in SSH, I noticed a user "Nagios" killing my resources with the command "w00t" which made me think someone had got me.  The other server was the same but the command was "tester".
Is my box infected or exploited?, and can I save it?

top - 12:53:59 up 23:58,  1 user,  load average: 2.33, 2.37, 2.52
Tasks: 121 total,   2 running, 119 sleeping,   0 stopped,   0 zombie
Cpu(s): 47.3%us,  0.3%sy, 33.9%ni, 13.6%id,  2.1%wa,  2.7%hi,  0.0%si,  0.0%st
Mem:   3893584k total,  3773736k used,   119848k free,     1744k buffers
Swap:   785400k total,   392732k used,   392668k free,    20068k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
25253 nagios    20   0 3475m 3.1g  316 R 198.6 84.6 369:06.17 w00t
    1 root      20   0 19232  368  360 S  0.0  0.0   0:00.59 init
    2 root      20   0     0    0    0 S  0.0  0.0   0:00.00 kthreadd
    3 root      RT   0     0    0    0 S  0.0  0.0   0:05.53 migration/0

Open in new window

top - 18:35:10 up  4:28,  1 user,  load average: 3.14, 3.15, 3.35
Tasks: 145 total,   1 running, 144 sleeping,   0 stopped,   0 zombie
Cpu(s):  1.7%us,  0.5%sy, 97.8%ni,  0.0%id,  0.0%wa,  0.1%hi,  0.0%si,  0.0%
Mem:   1536088k total,   473144k used,  1062944k free,     8704k buffers
Swap:   524280k total,   115948k used,   408332k free,    70516k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
20250 nagios    20   0  470m  10m 1128 S 390.8  0.7 155:58.30 tester
 1465 asterisk  20   0  387m  17m 3148 S  4.0  1.2   1:24.05 httpd

Open in new window

0
Comment
Question by:matthewmalk248
  • 8
  • 5
  • 2
  • +2
17 Comments
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 40013622
Hmm yes it sounds as if you have an malicious user on your box
do 'ps faux' and 'w' then do 'netstat -n' and post the info if you feel comfortable.
0
 

Author Comment

by:matthewmalk248
ID: 40013630
ps faux showed some interesting things...

Looks like I have some friends from Singapore playing with my emotions!

nagios    2030  0.0  0.0  39364    88 ?        Ss   14:07   0:03 /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d

Open in new window

nagios   20250  377  0.6 482180 10544 ?        Ssl  17:52 241:18 /tmp/tester -o stratum+tcp://multi1.wemineall.com:80 -u weedee.1 -p x --alg

Open in new window


What's kinda wierd, is "Users" only shows me, not this ghost user, and "w" shows only
-bash-4.1# w
 18:58:15 up  4:51,  1 user,  load average: 4.01, 4.03, 3.85
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/0    MY.IP.ADDRESS    17:07    0.00s  0.01s  0.00s w

Open in new window


And netstat-n..
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 127.0.0.1:53683             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53666             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53673             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53665             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53677             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53675             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53672             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53680             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53670             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:5038              127.0.0.1:51946             ESTABLISHED
tcp        0      0 127.0.0.1:53674             127.0.0.1:5038              TIME_WAIT
tcp        0     52 MY.SERVERS.IP:22            MY.REMOTED-IN.IP:50462         ESTABLISHED
tcp        0      0 127.0.0.1:53682             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53676             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53687             127.0.0.1:5038              TIME_WAIT
tcp        1      0 MY.SERVERS.IP:5666          180.210.205.209:50903       CLOSE_WAIT
tcp        0      0 127.0.0.1:53664             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53684             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53685             127.0.0.1:5038              TIME_WAIT
tcp        0      0 MY.SERVERS.IP:59670         37.187.28.68:80             ESTABLISHED
tcp        0      0 127.0.0.1:53686             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53678             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53668             127.0.0.1:5038              TIME_WAIT
tcp        0      0 127.0.0.1:53671             127.0.0.1:5038              TIME_WAIT
tcp        0      0 ::ffff:127.0.0.1:51946      ::ffff:127.0.0.1:5038       ESTABLISHED
tcp        0      0 ::ffff:MY.SERVERS.IP:80     ::ffff:MY.REMOTED-IN.IP:51963  ESTABLISHED

Open in new window

0
 

Author Comment

by:matthewmalk248
ID: 40013636
looks like port 5666 has been exploited, which I'm guessing is Nagios, so there's a Nagios exploit?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 450 total points
ID: 40013642
Hmm for the time being disable sshd, edit /etc/passwd and remove that user. Kill all the tasks being run by that user and make sure that there aren't any other weird things being ran.
There are two reasons why the user might not be showing up using the 'w' command.
1. He's not currently logged in
2. There is a rootkit on your box and it has that command hooked to not show him.

Use this C program to detect whether there is a rootkit on your machine
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html (great blog)

??? -> http://www.nagios.org/
0
 
LVL 26

Expert Comment

by:pony10us
ID: 40013681
There is an exploit related to Nagios and NRPE (port 5666).

http://www.opsview.com/whats-new/blog/security-notice-nrpe-exploit
0
 

Author Comment

by:matthewmalk248
ID: 40013692
Well this doesn't look good then, I ran that C program to check for userland rootkits..
[+] Checking open syscall.
[+] Checking readdir syscall.
[+] Checking fopen syscall.
[!] Preload hooks dectected!
Libc address: 0x175410
Next address: 0x239330
[+] Checking accept syscall.
[+] Checking access syscall.
[+] Checking unlink syscall.

Open in new window

0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 40013697
damn that's bad.. looks like you have a rootkit installed on your box. Best bet is to reinstall the box and back up your critical files.. When I say backup critical data I mean text files and things like that, nothing that is able to carry a infected code.
0
 

Author Comment

by:matthewmalk248
ID: 40013713
Dang! Is there any way to like use rkhunter logs to clean it?
0
 

Author Comment

by:matthewmalk248
ID: 40013741
Also, odd note, I ran it again, and everything seemed normal?  Ran a few more times to be sure.  This was after I had deleted the Nagios user from etc/passwd.

]# ./preloadcheck
[+] Checking open syscall.
[+] Checking readdir syscall.
[+] Checking fopen syscall.
[+] Checking accept syscall.
[+] Checking access syscall.
[+] Checking unlink syscall.

Open in new window

0
 
LVL 77

Expert Comment

by:arnold
ID: 40013780
Nagios is a network/system monitoring tool. If you did not install it, that would be a concern, if you had set it up. You may have a check deigned for a host that could have gone wrong what is thesecond system where tester was running?

Without looking at the code, it seems teaser is suppose to monitor a web site an alert presumably if the site is down, or using a extended test, if the content on the page  changed
Often, one places a marker such as an HTML comment, if that comment is missing, an alert that the website "corrupted", compromised.....
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 40013786
Mathew, that program checks whether a rootkit is actively running on your machine. It makes sense after you killed the malicious user that the rootkit died/isn't running anymore.. a little.. haha well try running ps faux and continue monitoring for issues. If you have anymore feel free to visit my profile and send me an email.
0
 

Author Comment

by:matthewmalk248
ID: 40013873
LoL yea , what a wimpy rootkit if it dies when I ran "skill -STOP -u nagios".  I'm going to tighten up the system and monitor it a lot for the next few weeks.  I changed the SSH port, disabled password auth so only using keys now, and set up iptables.  There's nothing life (or credit) threatening on the box, so I'm kind of curious if I can dismantle this infection piece by piece.  Would be kind of cool not having to reset all this stuff up!
0
 
LVL 77

Expert Comment

by:arnold
ID: 40013899
Make sure to update openssl, openssh.  

Did you previously setup nagio? On your system?
0
 

Author Comment

by:matthewmalk248
ID: 40013942
No, but I noticed that there's a "nagios" user in /etc/passwd even on a fresh install of this Distro of CentOS 6.5, is that normal?
0
 
LVL 5

Expert Comment

by:Pasha Kravtsov
ID: 40014050
Hm sounds like you got something that was vulnerable I'm not sure. Definitly not openssl issues.. lol it's not heartbleed
0
 
LVL 37

Assisted Solution

by:Gerwin Jansen
Gerwin Jansen earned 50 total points
ID: 40014785
tcp://multi1.wemineall.com:80 -> Your CPU is being used to generate some bitcoins for someone
0
 

Author Comment

by:matthewmalk248
ID: 40014810
Thanks Gerwin, that's actually a relief! Probably the least malicious thing I can imagine, other than wasting electricity
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question