Security Incidents mailing list archives

Re: FYI: Bind compromise

From: Phil Brutsche <pbrutsch () TUX CREIGHTON EDU>
Date: Tue, 20 Feb 2001 18:35:17 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

What is in.amdq? A customized ssh daemon of sorts that allows anyone to
connect as root, or so it appears. They also must have used a rootkit of some
sort, as the process does not show up in ps auxw.  There is probably more to
the compromise, but this is all I found. This server was running named
8.2.3-REL, which i assume was the source of the system compromise.  According
to my colo provider, everyone who had a collocated linux box with this
version of BIND had been penetrated, so it's possible this attack is
self-replicating, although I could not find any traces of this on the
compromised system. Thankfully this box isn't that important, and thank
goodness I got bind 9.1 up and running on my important boxes before this had
happened.


I disagree that this is a BIND 8.2.3 exploit.  If it was we probably would
have heard about it on BugTraq by now :)

I've seen this rootkit (or, at least, this back door) on a RedHat box that
had no business running, and was not running, BIND.  They were, however,
running all sorts of other services (it was RedHat 6.0, with *no*
updates) that had nasty vulnerabilities.

If you still have access to the compromised system, I think you'll find
some files under /dev/sdc0/ (where the ssh backdoor gets its
configuration).

I think you will also find /usr/sbin/in.sysched.  I have no idea what that
does; I've heard it may be a DDoS tool.  I haven't been able to find
anything conclusive about it on google, and nothing on packetstorm and
SecurityFocus.

What I know about it starts with the (way too short) thread at
http://plug.skylab.org/200007/msg00526.html, and another (also way too
short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html.
As well as some stuff in Norwegian.

- --
- ----------------------------------------------------------------------
Phil Brutsche                               pbrutsch () tux creighton edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJtkve17HCjSeH+VANZACePVYo
xGJp8qcMnM15tfGs2ewIo3U=
=y0+C
-----END PGP SIGNATURE-----

Current thread:

FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
    - Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
    - Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
  - Re: Bind compromise Antonio Carlos Pina (Feb 21)
  - Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
  - Re: FYI: Bind compromise Jim Olsen (Feb 21)
  - Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)