Security Incidents mailing list archives
Re: RedHat compromise
From: Andreas Östling <andreaso () IT SU SE>
Date: Tue, 20 Feb 2001 22:49:49 +0100
This looks to be the same MO as another box I've seen. That smb binary is a modified telnetd (and I believe the password is "Sh!t"). And yeas, it was probably the Bind hole that got you. BTW: use fsck to check your partition map before you reboot... you probably don't have one anymore :)
I've also seen this (on a RH 6.0/i386). Here is a quick spontanious summary of other things that were found. (probably not 100% correct) * /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and /dev/portd/.pid as pid file * ls,du - modified to hide files listed in /dev/ptyy (.addro,.log,.pid,portd,ptyv,ptyu,ptyy) * ps - modified to hide processes listed in /dev/ptyu (cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx) * BIND was upgraded to 8.2.3. * netstat - modified to hide addresses/ports listed in /dev/ptyq (24.,54321, 27665) * syslogd - modified to hide entries containing strings listed in /dev/ptyv (il,net,edu,com,org) * tcpd was modified (probably to always allow addresses listed in /dev/hdbb) * entries added to /etc/services: smbd2 54321/tcp # Samba working 1120/tcp # Kerberos working daemon * Trin00 DDoS daemon found as /usr/sbin/init (its old pid files (.la.pid) were found in several places) * /usr/sbin/init restarted in cron every 5 minutes * in.telnetd was listening on port 1120/TCP: lsof: inetd 1671 root 15u IPv4 110913 TCP *:working (LISTEN) inetd.conf: working stream tcp nowait root /usr/sbin/tcpd in.telnetd I probably forgot a few things here, but at least it something to look out for. Does anyone have a full description (or just more information) of this rootkit(/worm?)? Regards, Andreas Östling
Current thread:
- Re: RedHat compromise, (continued)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)