Security Incidents mailing list archives
Re: FYI: Bind compromise
From: Phil Brutsche <pbrutsch () TUX CREIGHTON EDU>
Date: Tue, 20 Feb 2001 18:35:17 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
What is in.amdq? A customized ssh daemon of sorts that allows anyone to connect as root, or so it appears. They also must have used a rootkit of some sort, as the process does not show up in ps auxw. There is probably more to the compromise, but this is all I found. This server was running named 8.2.3-REL, which i assume was the source of the system compromise. According to my colo provider, everyone who had a collocated linux box with this version of BIND had been penetrated, so it's possible this attack is self-replicating, although I could not find any traces of this on the compromised system. Thankfully this box isn't that important, and thank goodness I got bind 9.1 up and running on my important boxes before this had happened.
I disagree that this is a BIND 8.2.3 exploit. If it was we probably would have heard about it on BugTraq by now :) I've seen this rootkit (or, at least, this back door) on a RedHat box that had no business running, and was not running, BIND. They were, however, running all sorts of other services (it was RedHat 6.0, with *no* updates) that had nasty vulnerabilities. If you still have access to the compromised system, I think you'll find some files under /dev/sdc0/ (where the ssh backdoor gets its configuration). I think you will also find /usr/sbin/in.sysched. I have no idea what that does; I've heard it may be a DDoS tool. I haven't been able to find anything conclusive about it on google, and nothing on packetstorm and SecurityFocus. What I know about it starts with the (way too short) thread at http://plug.skylab.org/200007/msg00526.html, and another (also way too short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html. As well as some stuff in Norwegian. - -- - ---------------------------------------------------------------------- Phil Brutsche pbrutsch () tux creighton edu GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJtkve17HCjSeH+VANZACePVYo xGJp8qcMnM15tfGs2ewIo3U= =y0+C -----END PGP SIGNATURE-----
Current thread:
- FYI: Bind compromise Jim Olsen (Feb 20)
- Re: FYI: Bind compromise Noel Rosenberg (Feb 20)
- Re: Bind compromise Ryan Sweat (Feb 20)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- <Possible follow-ups>
- Re: FYI: Bind compromise Roberto (Feb 21)