Security Incidents mailing list archives
Re: Linux box 'infected' with RK15
From: Sean Kelly <lists () SHORTESTPATH ORG>
Date: Thu, 22 Mar 2001 16:46:26 +0000
Hello again, Thanks to all those who replied. The original hard drive and a dd'ed copy of it are sitting on my desk at home and I hope to put some more investigation into the case this weekend. Just a few replies to questions already posted: ToMiller () USAID GOV asked about how the intruder got in. The rootkit install script deleted /var/log/messages, but the machine was running exploitable versions of wu-ftpd, sendmail and NFS (my colleague wasn't very good - perhaps that's why I got the job :). No named was running. I shall look through the other logfiles and see if anything more arises. HallihanPT () navair navy mil asked whether port 123 was the unrecognised open port. It wasn't port 123 - it was a port that doesn't match anything in /etc/services, or for that fact, anything I think I've met before. dayioglu () metu edu tr asked about obtaining a disk image. I'd have to ask my superiors about that one... And now a few extra points I've remembered from my initial look. (1) The rootkit installed an ssh binary (I should have mentioned this earlier, sorry ;). I have a strong feeling that this service running on a non-standard port is something to do with this. (2) As a new version of ifconfig was installed by the rootkit, I assume the NIC was set to promisc mode, and was trying to sniff passwords. (3) An IRC bot was installed. I have the config file so I know which IRC servers and channels it was set up to use. (4) The host that uploaded the rootkit was located in .ro . That's it for now. As I said, I'll look into it more this weekend if work is not too busy. Thanks for all the help so far, -- Sean Kelly <lists () shortestpath org>
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)