Security Incidents mailing list archives
Machine compromised, rootkit and DDoS tools installed.
From: "Jeremy L. Gaddis" <jgaddis () JGADDIS NET>
Date: Thu, 21 Sep 2000 16:56:47 -0500
Tuesday night (19/Sep/00) I was contacted by someone who wanted to know what the running process "tfn-daemon" was. The user noticed several processes all running as "tfn-daemon". I immediately suspected this had something to do with the Tribal Flood Network DDoS and the user gave me login access to poke around. I immediately killed the processes and began looking around. After poking around on the system, I discovered a rootkit had been installed as well as the TFN DDoS tools. The user wasn't too big on the idea of security and just wanted to get the machine back up and running and didn't really care about what had happened. He allowed me to make copies of the logfiles and trojaned binaries before I shut down. Those have been transferred to my own machines and I've started examining them. At this time, I haven't had much chance to go through them, so I don't know too much yet. I do know that trojaned versions of netstat, ps, login, and named were installed. Also, grepping through the logs shows connections from 24.21.12.176 (cx365698-b.dt1.sdca.home.com) and 193.40.252.210 (www.cce.ttu.ee). I also found a running process, "in.slogind" bound to port 19000/tcp which, I believe, was made to spawn a root shell upon connecting. This daemon, however, seemed broken. With the recent discussion about the t0rnkit on this list, I'm wondering if there are any sites dealing with identifying what rootkit binaries came from? Oh, one last bit, a file named "shitc.tgz" was found on the filesystem. I also noticed a message in sendmail's logs from root to "shitc () altavista com." The machine in question has since been reinstalled and secured, and all data that I didn't make copies of is gone. I'll be posting copies of all the trojaned files shortly for anyone who wishes to examine them. Anything I should watch out for in the binaries that may possibly identify their origin? Any comments are welcome. Thanks. -jg -- Jeremy L. Gaddis <jgaddis () jgaddis net>
Current thread:
- Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 22)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)
- Re: Machine compromised, rootkit and DDoS tools installed. Ben Belchak (Sep 25)
- <Possible follow-ups>
- Re: Machine compromised, rootkit and DDoS tools installed. H Carvey (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)