[Nagiosplug-devel] bug?? check_procs (nagios-plugins 1.4.2) 1.46 - 0 processes

Andreas Ericsson ae at op5.se
Wed Feb 15 03:42:08 CET 2006


Micha³ Panasiewicz wrote:
> [root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C smbd
> PROCS OK: 0 processes with command name 'smbd'
> [root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C smbd -vvv |
> grep smbd
> SNs      0     1   9972  3488  0.0 smbd            smbd -D
> 0 0 9972 3488 0 1 0,00 SNs  .0 smbd            smbd -D
> SN       0  9361  10128  3684  0.0 smbd            smbd -D
> 0 0 10128 3684 0 9361 0,00 SN  .0 smbd            smbd -D
> SN    1019  9361  11152  5436  0.4 smbd            smbd -D
> 0 1019 11152 5436 0 9361 0,00 SN  .4 smbd            smbd -D
> SN      99  9361  10704  4872  0.0 smbd            smbd -D
> 0 99 10704 4872 0 9361 0,00 SN  .0 smbd            smbd -D
> RN    1001  9361  11620  5696  1.1 smbd            smbd -D
> 0 1001 11620 5696 0 9361 1,00 RN  .1 smbd            smbd -D
> SN    1002  9361  10864  4784 17.3 smbd            smbd -D
> 0 1002 10864 4784 0 9361 17,00 SN  .3 smbd            smbd -D
> SN       0  9361  10560  4200  0.1 smbd            smbd -D
> 0 0 10560 4200 0 9361 0,00 SN  .1 smbd            smbd -D
> S+       0  1984   1756   640  0.0
> check_procs     /usr/lib/nagios/plugins/check_procs -C smbd -vvv
> 0 0 1756 640 0 1984 0,00 S+  .0
> check_procs     /usr/lib/nagios/plugins/check_procs -C smbd -vvv
> S+       0  1984   1824   600  0.0 grep            grep smbd
> 0 0 1824 600 0 1984 0,00 S+  .0 grep            grep smbd
> PROCS OK: 0 processes with command name 'smbd'
> [root at kuf-serwer ~]# ps ax | grep smbd
>  9361 ?        SNs    0:00 smbd -D
>  9368 ?        SN     0:02 smbd -D
>  7450 ?        SN     0:42 smbd -D
> 13219 ?        SN     0:04 smbd -D
>  3912 ?        SN     0:46 smbd -D
>   734 ?        RN     0:37 smbd -D
>  2543 ?        SN     0:00 smbd -D
>  2969 pts/0    R+     0:00 grep smbd
> [root at kuf-serwer ~]#  /usr/lib/nagios/plugins/check_procs -C smbd -vv
> CMD: /bin/ps axwo 'stat uid ppid vsz rss pcpu comm args'
> PROCS OK: 0 processes with command name 'smbd'
> 

You've been hacked, and pretty thoroughly, if clumsily, I'd say. First 
of all, pull the network cable. Installing local firewall rules probably 
won't do. Then install new 'find' and 'netstat' utilities on your 
system. Preferrably tools that have been pre-compiled on a different, 
trusted, system. Do *not* use a package management tool to install it. 
Then do (as root)

	# netstat -tpan | grep smbd
	# find / -type f -name "smbd -D"

The good thing is that the "smbd -D" ssh daemon comes with a lot of 
root-kits, so you're most likely being attacked by script-kids 
(otherwise you probably wouldn't see the daemon with ps). The bad thing 
is that most of those root-kits have been written by very competent 
people, so you'll most likely have to re-install the entire system from 
the ground up. While you're at it, make sure you upgrade as well, and do 
a readonly chroot jail setup for networking daemons. That way you 
shouldn't have to worry about these things later on.

To summarize, check_procs is actually quite right. The process name is 
'smbd -D' (not smbd), and it is in fact an ssh daemon hacked to always 
allow a certain key to authenticate and spawn a root-shell.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231




More information about the Devel mailing list