Security Incidents mailing list archives
Re: RedHat compromise
From: Jim Roland <jroland () ROLAND NET>
Date: Tue, 20 Feb 2001 23:33:07 -0600
Yes, although I disabled his processes and services, I did find (the other day) that the following were modified, but not your complete list: syslogd /usr/sbin/init (inserted) listened on 27444 (udp) tcpd there were traces of .la.pid in /root and / netstat was modified /usr/hdbb (contained 24. which now tells me where he came from, sort of) /usr/ptyq (contained 24. and the processes he was running on ports 54321 and 27665) Kerberos was not inserted (not installed). I moved these files out of the way and placed good files back in it's place. In a nutshell, it looks like his work was only partly completed, but all packages were overwritten, just syslogd, tcpd, named, and netstat. Some useful information came from google and lists a site for the DDoS attack at http://www.infowar.com/iwftp/xforce/advise40.html. I checked the other files listed and they were not changed. ----- Original Message ----- From: "Andreas Östling" <andreaso () IT SU SE> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 20, 2001 3:49 PM Subject: Re: RedHat compromise
This looks to be the same MO as another box I've seen. That smb binary is a modified telnetd (and I believe the password is "Sh!t"). And yeas, it was probably the Bind hole that got you. BTW: use fsck to check your partition map before you reboot... you probably don't have one anymore :)I've also seen this (on a RH 6.0/i386). Here is a quick spontanious summary of other things that were found. (probably not 100% correct) * /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and /dev/portd/.pid as pid file * ls,du - modified to hide files listed in /dev/ptyy (.addro,.log,.pid,portd,ptyv,ptyu,ptyy) * ps - modified to hide processes listed in /dev/ptyu (cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx) * BIND was upgraded to 8.2.3. * netstat - modified to hide addresses/ports listed in /dev/ptyq (24.,54321, 27665) * syslogd - modified to hide entries containing strings listed in /dev/ptyv (il,net,edu,com,org) * tcpd was modified (probably to always allow addresses listed in /dev/hdbb) * entries added to /etc/services: smbd2 54321/tcp # Samba working 1120/tcp # Kerberos working daemon * Trin00 DDoS daemon found as /usr/sbin/init (its old pid files (.la.pid) were found in several places) * /usr/sbin/init restarted in cron every 5 minutes * in.telnetd was listening on port 1120/TCP: lsof: inetd 1671 root 15u IPv4 110913 TCP *:working (LISTEN) inetd.conf: working stream tcp nowait root /usr/sbin/tcpd
in.telnetd
I probably forgot a few things here, but at least it something to look out for. Does anyone have a full description (or just more information) of this rootkit(/worm?)? Regards, Andreas Östling
Current thread:
- Re: RedHat compromise, (continued)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)