Security Incidents mailing list archives
Re: LJK2 rootkit?
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Thu, 18 May 2000 18:01:22 -0400
On Tue, 16 May 2000, Omachonu Ogali wrote:
[root@machine]# less .LJK2/hide/.RK1proc 3 sshdI'm not sure what this line means.
my best guess is a trojanned sshd binary. there's a good chance you don't run sshd, so by hiding it they're hiding their presence. we saw this on the Shaft node we investigated[1]. you can check this by checking the output of strings on the sshd binary: a normal sshd binary: [snip] RhostsRsa authentication not available for session encrypted with arcfour. RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'. RSA authentication disabled. RSA authentication for %.100s accepted. RSA authentication for %.100s failed. Password authentication disabled. Password authentication not available for unencrypted session. Too many password authentication attempts from %.100s for user %.100s. Password authentication failed for user %.100s from %.100s. Password authentication for %.100s accepted. Password authentication for %.100s failed. Unknown message during authentication: type %d ROOT LOGIN REFUSED FROM %.200s Root login accepted for forced command. ROOT LOGIN as '%.100s' from %.100s Received illegal compression level %d. [snip!] the trojanned sshd binary we found: [snippety snip] RhostsRsa authentication not available for session encrypted with arcfour. RhostsRSA authentication failed for '%.100s', remote '%.100s', host '%.200s'. RSA authentication disabled. RSA authentication for %.100s accepted. RSA authentication for %.100s failed. Password authentication disabled. Password authentication not available for unencrypted session. Too many password authentication attempts from %.100s for user %.100s. Password authentication failed for user %.100s from %.100s. Connection from: %s l: %s p: %s Connection from: %s l: %s p: rOOTkIT Password authentication for %.100s accepted. Password authentication for %.100s failed. Unknown message during authentication: type %d ROOT LOGIN REFUSED FROM %.200s Root login accepted for forced command. ROOT LOGIN as '%.100s' from %.100s [snip] the trojan password is ... rOOTkIT! a few sshd trojans are around, including one from w00w00 (proof of concept? malicious code?). no logging, root shell, etc... check packetstorm, i think they have them. summary: chances are sshd is hacked to allow root, unlogged access with this s00p3r s3|<r3+ password. ---------------- note: 1. our Shaft node analysis, where the rootkit was a variant of LRK4: http://biocserver.cwru.edu/~jose/shaft_analysis/node-analysis.txt ---------------- i hope this helps, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: IP Black list?, (continued)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Michael Damm (May 15)
- Re: IP Black list? jms (May 15)
- TCP/IP options flags? Matt Beck (May 16)