Re: RedHat 6.2 boxes root'ed, shitc.tgz installed

[Scott Nursten <Scott.Nursten () STREETSONLINE CO UK>]

Please post the source if you have it. Was it standard? Does it do
anything special? If you do have the installer, it makes all the
difference, and if your report is from the installer, then great - no
need to post the source.

Rgds,

Scott

josh wrote:
> A client of our companies had 5 or so RedHat 6.2 boxes
> rooted (default install, everything enabled - that's what they
> get for not letting us build 'em ;)
>
> The attackers left behind a tarball called 'shitc.tgz'
> in /usr/bin/.../.terminfo
> There is a modified sshd /bin/fgry which listens on port 5665
> and /bin/in.slogind that listens on port 19000.
>
> There was also a bouncer, mdidentd, etc.  Plus a litle
> shell script called "die" to install all the good stuff for you.
> It left text files in /dev/hdaa, /dev/ddth3, /dev/ddtz1 that
> are config files for the modified programs to ignore.
>
> Binaries replaced are:
> ls, named, nc, netstat, ps, pstree, rpc.statd, sloging, syslogd, and top.
>
> The tarball also came with some DoS tools - boink, bonk, citra, flip, frag,
> jolt, lod, land, land2, land2, moyari13, nestea, ntear, smbquery,
> ssping, syndrop, tear2, teardrop, w2, whisper, ww.
>
> The rootkit also came with a bunch of network scanning utilities
> and the like.
>
> Just a heads up - scan your boxes for ports 5665 and 19000.
> There also could be processes listening on ports 24, 63, 1900,
> and 6667. (If you don't already have ircd running)
>
> --
> josh

--
Scott Nursten - Systems Administrator
Streets Online Ltd.

Business:       +44 (0) 1293 402 040
Fax:            +44 (0) 1293 402 050
Email:          scottn () streetsonline co uk

     -------------------------------------------------------------------
     |    "Facts do not cease to exist because they are ignored."      |
     |                                             Aldous Huxley       |
     -------------------------------------------------------------------