Intruders kidnapping PIDs of server processes
Problem/Background:
Recently our system was under attack by intruders using trojan code to
gain access to our system. Apparently they where trying to get one of
our servers to route IRC-traffic using psyBNC.
It seems like the intruders, probably using reppid to take over processes,
could hide their own processes in existing ones. Doing something like
ps -gaux won't show anything strange at all!
This makes it impossible to find and shut off unwanted processes.
Using netstat I could clearly see that "something" was listening on
ports that I didn't recognize. Doing netstat -ap only showed a dash '-'
instead of any process owning the socket.
Software:
The server was running Linux Redhat 7.2 (Kernel 2.4.7-10). Unfortunately
I cannot get anymore specific because the intruders seems to have rendered
the system unbootable before I had any chance of gathering info for
this report. But this bug (or feature) seems to affect all kernels,
regardless
of version.
Solution?
Is there anyway to fix this "bug" or is it a built-in feature. So that
software
like reppid simply can't take over an existing PID.
Sources:
Probably the intruders have been using something similar to the program
Reppid found at http://www.psychoid.lam3rz.de/reppid.c.
I would be grateful for an answer, even a simple "No,
it's not a bug, it's a feature" would help.
TIA
Carl Oeberg, (webmaster@gitte.nu)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Mar 15 2003 - 22:00:21 EST