Re: RedHat compromise

[Jim Roland <jroland () ROLAND NET>]

Yes, although I disabled his processes and services, I did find (the other
day) that the following were modified, but not your complete list:

syslogd
/usr/sbin/init (inserted) listened on 27444 (udp)
tcpd
there were traces of  .la.pid in /root and /
netstat was modified
/usr/hdbb (contained 24. which now tells me where he came from, sort of)
/usr/ptyq (contained 24. and the processes he was running on ports 54321 and
27665)

Kerberos was not inserted (not installed).

I moved these files out of the way and placed good files back in it's place.
In a nutshell, it looks like his work was only partly completed, but all
packages were overwritten, just syslogd, tcpd, named, and netstat.

Some useful information came from google and lists a site for the DDoS
attack at http://www.infowar.com/iwftp/xforce/advise40.html.  I checked the
other files listed and they were not changed.


----- Original Message -----
From: "Andreas Östling" <andreaso () IT SU SE>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, February 20, 2001 3:49 PM
Subject: Re: RedHat compromise


> > This looks to be the same MO as another box I've seen.  That smb binary
> > is a modified telnetd (and I believe the password is "Sh!t").  And yeas,
> > it was probably the Bind hole that got you.
> >
> > BTW: use fsck to check your partition map before you reboot... you
> > probably don't have one anymore :)
>
> I've also seen this (on a RH 6.0/i386).
> Here is a quick spontanious summary of other things that were found.
> (probably not 100% correct)
>
> * /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and
> /dev/portd/.pid as pid file
>
> * ls,du - modified to hide files listed in /dev/ptyy
> (.addro,.log,.pid,portd,ptyv,ptyu,ptyy)
>
> * ps - modified to hide processes listed in /dev/ptyu
> (cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx)
>
> * BIND was upgraded to 8.2.3.
>
> * netstat - modified to hide addresses/ports listed in /dev/ptyq
> (24.,54321, 27665)
>
> * syslogd - modified to hide entries containing strings listed in
> /dev/ptyv (il,net,edu,com,org)
>
> * tcpd was modified (probably to always allow addresses listed in
> /dev/hdbb)
>
> * entries added to /etc/services:
> smbd2           54321/tcp       # Samba
> working         1120/tcp        # Kerberos working daemon
>
> * Trin00 DDoS daemon found as /usr/sbin/init
>   (its old pid files (.la.pid) were found in several places)
>
> * /usr/sbin/init restarted in cron every 5 minutes
>
> * in.telnetd was listening on port 1120/TCP:
> lsof: inetd      1671 root   15u  IPv4 110913       TCP *:working (LISTEN)
> inetd.conf: working stream  tcp     nowait  root    /usr/sbin/tcpd
in.telnetd
> I probably forgot a few things here, but at least it something to look out
> for. Does anyone have a full description (or just more information) of
> this rootkit(/worm?)?
>
>
> Regards,
> Andreas Östling