system breach

gareth bsd at lordcow.org
Thu Dec 28 15:41:14 PST 2006


hey guys, my server rebooted a few days ago, and while i was
looking around for possible reasons (none came up, which's
disconcerting in itself) i found this suspicious directory:

$ ls -l /tmp/download
total 44
drwxr-xr-x  4 root  wheel    512 Oct 23 16:28 Archive_Tar-1.3.1
drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 Console_Getopt-1.2
drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 XML_RPC-1.5.0
-rw-r--r--  1 root  wheel  15433 Jul 12 02:09 package.xml
-rw-r--r--  1 root  wheel  22193 Jul 12 02:09 package2.xml


the subdirs contain a bunch've .php files, and the xml files
are info about version updates of PEAR'S "XML-RPC for PHP".
they're owned by root (only i have the passwd) so it wasn't
made by a local user, and i assume it wasn't made by portupgrade
or something like that?

so, i've got no idea how that dir got there, i'm guessing via
some web exploit that i still need to look into, and /tmp
is mounted 'exec' for some legit processes to function, can't
remember which, so it's possible they were able to upload
something and run it. chkrootkit which i've only just installed
seems clear.

anyway, i'm trying to figure out when this happened to have
something to go on, and i don't understand the stat command,
for example:

$ stat /tmp/download/package2.xml
60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml

taking hints from 'stat -x' and 'stat -s' i gather this means:

access time = Dec 28 04:03:50 2006
modify time = Jul 12 02:09:14 2006
change time = Oct 23 16:28:28 2006
birth  time = Jul 12 02:09:14 2006

now how much of these dates are local or carried over from the source system,
since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't
make sense)? (also what's the difference between modify and change time?)

essentially is there a way i can tell when the files were put there?

this's the directory's info too:

$ stat /tmp/download
60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download




ps. out've interest:

this's the only suspicious thing in the logs i could find:

Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped)
Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped)

though from google it seems it could be an innocent apache thing.

also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib
directories, and they haven't changed without my knowledge since then. course that doesn't help
if the breach was in the 2 odd days before this and after the system was created. also, snort
hasn't reported anything overly suspicious, and all packages are kept up to date.


More information about the freebsd-stable mailing list