[Nagiosplug-devel] bug?? check_procs (nagios-plugins 1.4.2) 1.46 - 0 processes
Andreas Ericsson
ae at op5.se
Wed Feb 15 03:42:08 CET 2006
Micha³ Panasiewicz wrote:
> [root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C smbd
> PROCS OK: 0 processes with command name 'smbd'
> [root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C smbd -vvv |
> grep smbd
> SNs 0 1 9972 3488 0.0 smbd smbd -D
> 0 0 9972 3488 0 1 0,00 SNs .0 smbd smbd -D
> SN 0 9361 10128 3684 0.0 smbd smbd -D
> 0 0 10128 3684 0 9361 0,00 SN .0 smbd smbd -D
> SN 1019 9361 11152 5436 0.4 smbd smbd -D
> 0 1019 11152 5436 0 9361 0,00 SN .4 smbd smbd -D
> SN 99 9361 10704 4872 0.0 smbd smbd -D
> 0 99 10704 4872 0 9361 0,00 SN .0 smbd smbd -D
> RN 1001 9361 11620 5696 1.1 smbd smbd -D
> 0 1001 11620 5696 0 9361 1,00 RN .1 smbd smbd -D
> SN 1002 9361 10864 4784 17.3 smbd smbd -D
> 0 1002 10864 4784 0 9361 17,00 SN .3 smbd smbd -D
> SN 0 9361 10560 4200 0.1 smbd smbd -D
> 0 0 10560 4200 0 9361 0,00 SN .1 smbd smbd -D
> S+ 0 1984 1756 640 0.0
> check_procs /usr/lib/nagios/plugins/check_procs -C smbd -vvv
> 0 0 1756 640 0 1984 0,00 S+ .0
> check_procs /usr/lib/nagios/plugins/check_procs -C smbd -vvv
> S+ 0 1984 1824 600 0.0 grep grep smbd
> 0 0 1824 600 0 1984 0,00 S+ .0 grep grep smbd
> PROCS OK: 0 processes with command name 'smbd'
> [root at kuf-serwer ~]# ps ax | grep smbd
> 9361 ? SNs 0:00 smbd -D
> 9368 ? SN 0:02 smbd -D
> 7450 ? SN 0:42 smbd -D
> 13219 ? SN 0:04 smbd -D
> 3912 ? SN 0:46 smbd -D
> 734 ? RN 0:37 smbd -D
> 2543 ? SN 0:00 smbd -D
> 2969 pts/0 R+ 0:00 grep smbd
> [root at kuf-serwer ~]# /usr/lib/nagios/plugins/check_procs -C smbd -vv
> CMD: /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
> PROCS OK: 0 processes with command name 'smbd'
>
You've been hacked, and pretty thoroughly, if clumsily, I'd say. First
of all, pull the network cable. Installing local firewall rules probably
won't do. Then install new 'find' and 'netstat' utilities on your
system. Preferrably tools that have been pre-compiled on a different,
trusted, system. Do *not* use a package management tool to install it.
Then do (as root)
# netstat -tpan | grep smbd
# find / -type f -name "smbd -D"
The good thing is that the "smbd -D" ssh daemon comes with a lot of
root-kits, so you're most likely being attacked by script-kids
(otherwise you probably wouldn't see the daemon with ps). The bad thing
is that most of those root-kits have been written by very competent
people, so you'll most likely have to re-install the entire system from
the ground up. While you're at it, make sure you upgrade as well, and do
a readonly chroot jail setup for networking daemons. That way you
shouldn't have to worry about these things later on.
To summarize, check_procs is actually quite right. The process name is
'smbd -D' (not smbd), and it is in fact an ssh daemon hacked to always
allow a certain key to authenticate and spawn a root-shell.
--
Andreas Ericsson andreas.ericsson at op5.se
OP5 AB www.op5.se
Tel: +46 8-230225 Fax: +46 8-230231
More information about the Devel
mailing list