I had a hacker!
Well, it's official, there's been a hacker on Glitchnyc.com. I'm not certain what their intentions were, but I was able to shut down the little "watcher" rootkit they were running at least temporarlily, and had fun dissecting the program to see what it did.
Every so often, I check up on my little machine to make sure that no one is running programs I don't want them to. As i learn more and more about linux, I'm finding out how to detect users even if they're trying to hide what they were doing. One of the best ways to do this is to run
This command will give a full list of what ports are open on your system. I saw my usual ports for SSH, mysql, the little Java/db program I wrote, and then what's this?!? Port 2700 is hanging open, and I don't know what for.
I telnetted to the port and sniffed around a bit. I was greeted by the prompt:
Commands are followed by a ;
Password:
Of course, I had no idea what the password was, so I killed the processs
Saw the rogue process, it was called watcher killall tmp/watcher
Next, I wanted to take a look at the code, so i got myself a little Hex Editor called shed and pulled apart the code.
It wasn't that well written, so the little password prompt was just a string compare. Right after the password prompt, it listed the password in hex.
Armed with this, i restarted the rootkit, and went back in on port 2700. After entering the password, I tried the command help; and was greeted with a full bash prompt and help dialogue.
This little program really was a traditional rootkit. All it did when run was provide a way for the hacker to come in, run watcher, and then telnet to port 2700 and be able to run any commands he wanted as root without being logged in as a full user, keeping anything he did out of my logs and history files.
The big question is how the rootkit got on my machine in the first place. I'll have to do some research, but I know my machine was vulnerable just by virtue of the fact that it's running ancient versions of samba and ssh. I'll have be getting those updated this weekend finally I guess.
Well, the server's ok and it doesn't seem like anything bad was done, so all in all, this was kinda fun, and certainly a kick in the pants to update my security.
