[clug] mc-root anyone?

[Daniel Pittman]

Michael Still <mikal at stillhq.com> writes:

> I just hd my ISP inform me that my machines were sending suspicious traffic
> (yes, my ISP is really that cool), and I quickly found an account with a
> poor password. The home directory for that account has a directory named "
> ", which contained another directory called mc-root.  The contents there
> seem to be some sort of IRC controller, an update system, and a ssh
> scanner. The updates and scanner are controlled out of a cron job.
>
> Now, I've deleted the compromised account, moved its home directory to one
> side, and disabled the cron job. tcpdump confirms no more ssh scanning
> coming from the machine. I'm also using update-manager to upgrade to the
> lastest Ubuntu, which will hopefully replace all the system files just in
> case one of them is owned in some other manner.
>
> Two questions:
> - is there anything else I should do to this machine?

That depends how much paranoia you have.  My general experience, these days,
is that many attackers are quite happy to automatically compromise a system
and run a robot; they don't bother to go beyond that point.

So, you /could/ be trusting and assume that they are kicked off and you are
now safe.

Alternately, you could go back to your last pre-compromise backup on the
assumption that if they have root they also have a rootkit that makes them
undetectable — or they left the obvious compromise as a dummy to make you feel
better when you got rid of it, despite being still compromised.

> - does anyone else know what this thing is? Bing searching doesn't turn
>   much up.

No, but my guess is the typical robot, service up DDoS attacks, spam email and
hosting illegal files.  Nothing exciting.

Regards,
        Daniel