Re: RedHat compromise

[Andreas Östling <andreaso () IT SU SE>]

> This looks to be the same MO as another box I've seen.  That smb binary
> is a modified telnetd (and I believe the password is "Sh!t").  And yeas,
> it was probably the Bind hole that got you.
>
> BTW: use fsck to check your partition map before you reboot... you
> probably don't have one anymore :)

I've also seen this (on a RH 6.0/i386).
Here is a quick spontanious summary of other things that were found.
(probably not 100% correct)

* /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and
/dev/portd/.pid as pid file

* ls,du - modified to hide files listed in /dev/ptyy
(.addro,.log,.pid,portd,ptyv,ptyu,ptyy)

* ps - modified to hide processes listed in /dev/ptyu
(cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx)

* BIND was upgraded to 8.2.3.

* netstat - modified to hide addresses/ports listed in /dev/ptyq
(24.,54321, 27665)

* syslogd - modified to hide entries containing strings listed in
/dev/ptyv (il,net,edu,com,org)

* tcpd was modified (probably to always allow addresses listed in
/dev/hdbb)

* entries added to /etc/services:
smbd2           54321/tcp       # Samba
working         1120/tcp        # Kerberos working daemon

* Trin00 DDoS daemon found as /usr/sbin/init
  (its old pid files (.la.pid) were found in several places)

* /usr/sbin/init restarted in cron every 5 minutes

* in.telnetd was listening on port 1120/TCP:
lsof: inetd      1671 root   15u  IPv4 110913       TCP *:working (LISTEN)
inetd.conf: working stream  tcp     nowait  root    /usr/sbin/tcpd in.telnetd


I probably forgot a few things here, but at least it something to look out
for. Does anyone have a full description (or just more information) of
this rootkit(/worm?)?


Regards,
Andreas Östling