[Techtalk] rmserver, should I be worried?

Brian J. Smith-Sweeney bsweeney at physics.ucsb.edu
Tue Oct 15 08:51:35 EST 2002 

I've found that an often quick method of discovering a compromise with a 
RedHat system is to use RPM.  RPM by default keeps MD5 hashes of all the 
binaries it installs, and while it's theoretically possible to modify the 
RPM database in practice I've never seen  a script-kiddie-level attacker 
do so (and if the cracker was obvious enough to leave a process eating up 
that much of your cpu time, they're most likely not terribly skilled)

Common files trojaned include ps,ls,find,su, inetd, 
login,netstat,passwd,lsof, and sshd among others.  My suggestion would be 
to run 'rpm -V' on the packages procps, findutils, util-linux, net-tools, 
and lsof; that will cover most of the binaries I've mentioned.  You could 
also, if you're feeling adventurous, 'rpm -Va' which will verify the md5 
hash of every file from every rpm package on the system.  Remember that 
some of these files (like /etc/passwd) will definitely have changed since 
installation.  Really, you're just interested in any changes to binary 
files.  Check the manpage of RPM for info on how to interpret the output, 
but for a quick example I just ran rpm -Va on my box and got back:

missing    /root/.Xresources
missing    /root/.bash_logout
missing    /root/.bash_profile
missing    /root/.bashrc
missing    /root/.cshrc
missing    /root/.tcshrc
.......T c /usr/share/fonts/default/Type1/fonts.dir
S.5....T c /etc/sysconfig/rhn/rhn-applet
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet_animation.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet_dialogs.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet_model.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet_rpc.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_applet_rpm.pyc
S.5....T   /usr/share/rhn/rhn_applet/rhn_utils.pyc

This tells me that those first few files are no longer on the system, that 
fonts.dir has a different modification time that it used to, and that the 
rest have different file sizes and that their MD5 hashes don't match and 
that their ModTimes are different as well.  File Size, MD5 has, and ModTime 
are the ones you'll want to look out for on the binaries mentioned, in 
addition to M (for Mode differs), which will tell you if the permissions on 
a file have changed.  Often, low-skill crackers will change the permissions 
on a shell binary or something to make it SetUid root as an easy way to 
elevate priveledge.

Also checkout chkrootkit (www.chkrootkit.org).  While you should really run 
it with clean copies of binaries, often it will detect rootkits anyway.

If you haven't killed the process yet (I realize I'm a bit late replying to 
this posting) don't forget about the /proc filesystem.  Proc has lots of 
good info on processes in its root.  They're organized there by process id. 
They'll be at the very least a cwd file, which is a symlink to the working 
directory of the process, an exe file which is a symlink to the process 
binary, and an environ file which will list all environment variables.

I'm also a big fan of using strace on rogue processes; it lets me see what 
they're crunching on so heavily.  Often strace'ing will show that a process 
is looping on get_time_of_day, or stuck attempting to open a non-existent 
file or something.  'strace -p <process_id>' will allow you to trace an 
active process.  Most of it is usually unintelligable to me not being a 
developer and all, but you can get a general idea of what's going on that 
way.

And if you've got another box available, I'd run an nmap scan against it. 
Telnet or Netcat to every open port that nmap reports.  If you find 
something like a command prompt, or telnet or ssh running on a weird port, 
you've got a problem.

Last, but certainly not least, check out:
	http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

They've got some good general information on how to tell if your system has 
been compromised.

hope that helps,
Brian




--On Wednesday, October 09, 2002 02:56:25 PM -0400 Beth Johnson 
<linux.chick at verizon.net> wrote:

> On Tue, 2002-10-08 at 23:27, Jeannette wrote:
>> I just walked past my RH 7.3 box (default (2.4.18-3) kernel, but behind a
>> firewall) at 9:00 PM, and was concerned to hear it grinding away on
>> something .... I ran top, and it said that a process called rmserver was
>> using 98% of the CPU, and had used a total of 214 minutes of CPU time.
>
> A quick google search turns up rmserver as a Real Media server.  Who
> knows if that is the real process or not, but it's [any stuff named
> rmserver is] certainly not part of any Red Hat install set that I know
> of.
>
> Being in /usr/local suggests something that was installed via a method
> alternate to RPM, and a person is much more likely to remember something
> that was installed without RPM I'd think.
>
> I'd certainly consider the box compromised.
>
> regards,
> Beth
> --
>   /\/\    Beth Johnson
>  / o o\   Cosmic Wonderer
> ( / ^^\)  Springfield, MA USA
>  \ M_M/   "Ruling a country is like cooking a small fish--
>            you have to handle it with care."--Lao Tzu
> 	
>
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list