I'll send you this evening the list of installed packages. I have had the opportunity to clean the system an hour ago. I have uninstalled proftpd since I do not use it anymore, but as I already sent you the version involved, it does not really matter ... the only dumb thing I did is that I added --purge to the apt-get remove command ...
I suspected proftpd and a quick look at the proftpd logs shows a really great number of login attempts (bruteforce like) and several "too long command" thingies (I'll be more specific this evening), the one last being at the exact same time the mod_facl error and the psadmin user creation. You said mod_facl is not active by default. It's quite strange since I didn't remember modifying the proftpd configuration since I installed it a few month ago. Furthermore, I have a tripwire installed that did not show anything worth mentionning besides passwd and shadow modification. Bruteforcing passwords on the server seems unlikely since root password and user passwords were at least 8 chars long and mixed low and upper case, digits and ponctuation. Lastly, but that will probably not be of any interest to you, the hacker left a binary .bash file in the psadmin home dir (the user he created). I renamed it and kept it for later use if there is a way to fingerprint it and link it to a known rootkit. Since the user was created only milliseconds after the facl error, I suspect either a nicely crafted buffer overflow in the mod_facl triggered the user creation or a script triggered by an exploit (linked but maybe not caused by the mod_facl error) created it ... It does not seem humanly possible to type that fast ... Additional information: The hacker had launched an additional sshd on port 59997 and created 2 entries for users userx and default in passwd and shadow with id 0 and groupid 1 for default and id/groupId 9/9 for userx. I am not that skilled in resolving security issues but it seems to me there is no such users automatically created by any debian package, and thus I deleted the corresponding lines in passwd and shadow. On the "not so skilled" topic, I have an other problem, though ... It seems to me the default tiger and tripwire configuration are not completly coherent with default configuration, especially concerning /etc/passwd content (default shell for instance: nologin or valid shell for some administrative users). I know this is probably none of your concern but if, by any means, you could be of some help ... If you know any debian security geek that could explain some of those things to me, I'd be glad to listen/read for hours ... Any way, thx for answering that fast and thanks for any further hint you might provide. Carm On Mon, 15 Nov 2010 12:04:26 +0100, "Francesco P. Lovergine" <fran...@debian.org> wrote: > tag 603555 + moreinfo > thanks > > On Mon, Nov 15, 2010 at 11:18:35AM +0100, Jean Couillaud wrote: >> >> Package: proftpd-basic >> Version: 1.3.3a-5 >> >> Hi, >> >> My server just got rooted and what I've done for now, to dig into what >> could have >> been the leak, points to proftpd, mod_facl in particular. >> I won't have a way to dig further until this evening (UTC+1 local time), >> but it is a testing(squeeze) debian almost up to date with only ssh, >> apache and >> proftpd available from the outside. >> >> Here is the logcheck notification that lead me to think mod_facl is >> guilty: >> > > The mod_facl is not active by default. It would help having a look > to your complete configuration. That said, I see no evidence of > proftpd being a possible guilty by your report. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
