Security Incidents mailing list archives
Re: RedHat compromise
From: Justin Shore <macdaddy () NEO PITTSTATE EDU>
Date: Wed, 21 Feb 2001 11:14:29 -0600
Well, if there is a hardcoded IP within the binary, 'strings hacked_binary | less' might help. I doubt that's the case though. If the logs are cleansed, about the only thing left is to fire up a packet sniffer watching all traffic to and from that machine and let it be. That might not be feasible if the machine is one you actually need to use though. HTH Justin On 2/20/01 11:50 PM Jim Roland said...
Thanks to everyone for their input. One last question, what's the best way to find out his IP address without running his trojans and waiting for him to connect? Based on the "allow" IP list, I know he's coming from 24.* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Andreas Östling" <andreaso () IT SU SE> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 20, 2001 3:49 PM Subject: Re: RedHat compromiseThis looks to be the same MO as another box I've seen. That smb binary is a modified telnetd (and I believe the password is "Sh!t"). And yeas, it was probably the Bind hole that got you. BTW: use fsck to check your partition map before you reboot... you probably don't have one anymore :)I've also seen this (on a RH 6.0/i386). Here is a quick spontanious summary of other things that were found. (probably not 100% correct) * /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and /dev/portd/.pid as pid file * ls,du - modified to hide files listed in /dev/ptyy (.addro,.log,.pid,portd,ptyv,ptyu,ptyy) * ps - modified to hide processes listed in /dev/ptyu (cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx) * BIND was upgraded to 8.2.3. * netstat - modified to hide addresses/ports listed in /dev/ptyq (24.,54321, 27665) * syslogd - modified to hide entries containing strings listed in /dev/ptyv (il,net,edu,com,org) * tcpd was modified (probably to always allow addresses listed in /dev/hdbb) * entries added to /etc/services: smbd2 54321/tcp # Samba working 1120/tcp # Kerberos working daemon * Trin00 DDoS daemon found as /usr/sbin/init (its old pid files (.la.pid) were found in several places) * /usr/sbin/init restarted in cron every 5 minutes * in.telnetd was listening on port 1120/TCP: lsof: inetd 1671 root 15u IPv4 110913 TCP *:working (LISTEN) inetd.conf: working stream tcp nowait root /usr/sbin/tcpdin.telnetdI probably forgot a few things here, but at least it something to look out for. Does anyone have a full description (or just more information) of this rootkit(/worm?)? Regards, Andreas Östling
-- Justin Shore, ES Pittsburg State University Network & Systems Manager Kelce 157Q Office of Information Systems Pittsburg, KS 66762 Voice: (620) 235-4606 Fax: (620) 235-4545 http://www.pittstate.edu/ois/ Warning: This message has been quadruple Rot13'ed for your protection.
Current thread:
- Re: RedHat compromise, (continued)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Justin Shore (Feb 21)