Security Incidents mailing list archives

Re: LJK2 rootkit?

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Thu, 18 May 2000 18:01:22 -0400


On Tue, 16 May 2000, Omachonu Ogali wrote:

[root@machine]# less .LJK2/hide/.RK1proc
3 sshd

I'm not sure what this line means.


my best guess is a trojanned sshd binary. there's a good chance you don't
run sshd, so by hiding it they're hiding their presence. we saw this on
the Shaft node we investigated[1]. you can check this by checking the
output of strings on the sshd binary:

a normal sshd binary:

[snip]

RhostsRsa authentication not available for session encrypted with arcfour.
RhostsRSA authentication failed for '%.100s', remote '%.100s', host
'%.200s'.
RSA authentication disabled.
RSA authentication for %.100s accepted.
RSA authentication for %.100s failed.
Password authentication disabled.
Password authentication not available for unencrypted session.
Too many password authentication attempts from %.100s for user %.100s.
Password authentication failed for user %.100s from %.100s.
Password authentication for %.100s accepted.
Password authentication for %.100s failed.
Unknown message during authentication: type %d
ROOT LOGIN REFUSED FROM %.200s
Root login accepted for forced command.
ROOT LOGIN as '%.100s' from %.100s
Received illegal compression level %d.

[snip!]

the trojanned sshd binary we found:
[snippety snip]

RhostsRsa authentication not available for session encrypted with arcfour.
RhostsRSA authentication failed for '%.100s', remote '%.100s', host
'%.200s'.
RSA authentication disabled.
RSA authentication for %.100s accepted.
RSA authentication for %.100s failed.
Password authentication disabled.
Password authentication not available for unencrypted session.
Too many password authentication attempts from %.100s for user %.100s.
Password authentication failed for user %.100s from %.100s.
Connection from: %s l: %s p: %s
Connection from: %s l: %s p: rOOTkIT
Password authentication for %.100s accepted.
Password authentication for %.100s failed.
Unknown message during authentication: type %d
ROOT LOGIN REFUSED FROM %.200s
Root login accepted for forced command.
ROOT LOGIN as '%.100s' from %.100s

[snip]

the trojan password is ... rOOTkIT! a few sshd trojans are around,
including one from w00w00 (proof of concept? malicious code?). no logging,
root shell, etc... check packetstorm, i think they have them.

summary: chances are sshd is hacked to allow root, unlogged access with
this s00p3r s3|<r3+ password.

----------------
note:
1. our Shaft node analysis, where the rootkit was a variant of LRK4:
http://biocserver.cwru.edu/~jose/shaft_analysis/node-analysis.txt
----------------

i hope this helps,

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

Re: IP Black list?, (continued)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
  - Re: IP Black list? jms (May 14)
    - Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
  - You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? Mike Shannon (May 15)
  - LJK2 rootkit? Felix Schueren (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 16)
    - IP blacklists phi-incident () EXORSUS NET (May 16)
    - Re: LJK2 rootkit? Omachonu Ogali (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)
    - Re: IP Black list? jms (May 15)
    - TCP/IP options flags? Matt Beck (May 16)

(Thread continues...)