Forum OpenACS Q&A: Response to Security Issue - Can't ls as nsadmin or other none root user

Collapse
3: Response to Security Issue - Can't ls as nsadmin or other none root user (response to 1)
Posted by jay he on 06/14/02 09:17 PM
When I did a seach in google, I found this trojan LVK4 (http://www.hut.fi/~jjkleimo/kurssit/tik110452/examples_rootkit.html). Looks like my box has the same behavior as LVK4 installed. I did a /sbin/ifconfig and got the following result: 
[root@server1 bin]# /sbin/ifconfig
eth0      Link encap:Ethernet  HWaddr 00:90:27:43:87:D7
          inet addr:10.10.10.19  Bcast:10.10.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:67632 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58572 errors:0 dropped:0 overruns:0 carrier:1
          collisions:4651 txqueuelen:100
          Interrupt:10 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:33 errors:0 dropped:0 overruns:0 frame:0
          TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
I did a netstat and got the following: 
netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     20 10.10.10.19:ssh         1xx.41.128.54:779       ESTABLISHED
tcp        0      0 10.10.10.19:ssh         1xx.41.128.54:709       ESTABLISHED
tcp        0      0 10.10.10.19:22316       minotor.spale.com:ircd  ESTABLISHED
First two ssh are established by me. But where does this ircd come from? Anyone has this kind of problem before? After I got the advice from David (Thanks. David. That's pretty quick. I was still debuging my box when your answer came up.) , I downloaded the sash and tar xvzf into my box. After "make install", I tried "su nsadmin -lc sash" in the sash folder. I was prompted with "Stand-alone shell (version 3.4) >". Then I tried several command and got the following info: 
> ls
ls: Permission denied
> ps awux | grep nsd
sh: /bin/ps: Permission denied
> ls /lib
ls: Permission denied
> locate libshow
locate: Permission denied
Then I came across with this article http://online.securityfocus.com/archive/75/249597. I did check the system, following the instruction. I didn't find libshow.so on my box. The following are ports open in my box: 
The following ports are allowed incoming all ports are allowed outgoing:

    TCP/5190    AOL Browser
    TCP/8000    AOL Server
    TCP/53        DNS
    TCP/21        FTP
    TCP/80        HTTP
    TCP/443      HTTPS
    TCP/8443
    TCP/110        POP3
    TCP/25        SMTP
    TCP/22        SSH
    TCP/23        TELNET
 
    UDP/53
    UDP/22
I did use ws_ftp to upload my file from windows box to this server. I guess that's where my password was sniffed. Any idea? Jay