Security Incidents mailing list archives

Re: Machine compromised, rootkit and DDoS tools installed.

From: "Jeremy L. Gaddis" <jgaddis () JGADDIS NET>
Date: Fri, 22 Sep 2000 23:30:03 -0500

I've been very busy the past few days and haven't been
able to examine the files that were installed on this system.
I've taken the liberty of putting the files up for download so
that anyone who wishes to may examine them.

At first glance, it appears that the majority of the files are
not stripped, so there might be some good info in there.
I have put two separate files up for download:  one is a dump
of running "ls -alR" on the box, the other is a file that was
found in the filesystem which contains trojaned files, exploits
(e.g. nestea, ssping, mscan) and the like.

Since I have no interest in the compromised box other than
personal (not to mention the owner doesn't care), I can't
find time right now to go through the files myself, but I would
be interested in hearing about anything that anyone else finds
out regarding this rootkit.

The files are available at:
http://www.blueriver.net/~jlgaddis/ls.txt.gz and
http://www.blueriver.net/~jlgaddis/shitc.tgz.

Here's what I do know, or appear to know anyways.  :)
(The names to the left of the colon indicate filenames).

/bin/frgy:  Appears to be a trojaned sshd 1.2.27.

/bin/login:  Trojaned version of /bin/login.  The original
was copied to /dev/lg0.  This trojaned version appears
to either spawn a root shell or pass control off to the
original login.  I'm not aware of how it decides which to
do, however.

/dev/ddth3:  Appears to be a "configuration file" for the
trojaned netstat, telling it what IPs and ports to block
from its output.

/dev/ddtz1:  Possibly used by the trojaned ps to control
what processes to hide.

/dev/hstkey:  Host key for trojaned sshd?

/dev/rndmseed:  Random seed file for trojaned sshd?

/dev/shconf:  Configuration file for sshd (the equivalent
of sshd_config).

/usr/sbin/in.slogind:  Appears to be a trojaned version
of in.telnetd.

One last note:  The shitc.tgz file was found (along with the
uncompressed contents) under /usr/bin/.../.termcap/.

Any comments, questions, etc. are welcome and appreciated.
-jg

--
Jeremy L. Gaddis     <jgaddis () jgaddis net>

Current thread:

Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 22)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)
  - Re: Machine compromised, rootkit and DDoS tools installed. Ben Belchak (Sep 25)
- <Possible follow-ups>
- Re: Machine compromised, rootkit and DDoS tools installed. H Carvey (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 24)