Hi guys,
I've been hacked too.
It appears it's proftpd which has been used (my version was 1.3.3a-3...
my bad).
The exploit used seems to be this one : Proftp IAC Exploit :
http://www.exploit-db.com/exploits/15449/
Same actions :
- created users 2 x userx (uid 9, gid 9, /tmp), 2 x default (with uid 0,
gid 1, /dev/devx) on 13 Nov
- opened a sshd shell (netcat ?) on port 59997 on 14 Nov
- created user psadmin on 14 Nov
- dropped a file name .bash in /home/psadmin (shell obfuscated, but I
believe it's a perl script used to launch attack against others)
- dropped the exploit file (the one from exploit-db) in /tmp renamed in
proftpd (I've seen a lot of "perl proftpd aa.bb.cc.dd xx.yy.zz.ww number
in my ps logs)
- dropped /etc/proftpd.conf and /usr/local/etc/proftpd.conf
I don't know more from now (keylogger, rootkit, etc) except that my
server was used to attack other servers.
Any information about maliciousness is welcome... Really don't want to
reinstall, and I don't want to change my passwords untill I'm sure
there's no keylogger.
However rkhunter, tigerrc, ossec, lynis, chkrootkit didn't raised too
much alarms (except "New user added which I've missed as I was not at
home).
Reinstalled lsof and rkhunter and nothing bad shows off : no modified
process or files, nothing listening or connecting to an unknown source.
Regards.
Sioban
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
