Security Incidents mailing list archives

Re: Linux box 'infected' with RK15

From: Jim Roland <jroland () ROLAND NET>
Date: Wed, 21 Mar 2001 15:09:47 -0600

You have indeed been rootkitted.  The most frequent service taken over is
telnet, and the "normal" telnet service has been moved to a different port.
You can try inquiring as to the listening ports with a "netstat -atn",
however netstat and route are typically taken over and will hide these
hijacked ports, if they did the rootkit was done completely.

You can consider any binaries and /dev and /etc files on your system
officially unusable.  Restore from a backup, or hopefully you may have used
a program called TripWire that will show you files that have been modified
(tripwire creates a checksum of each file to inquire modifications).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
    "Never settle with words what you can settle with a flamethrower"
          -- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----
From: "Sean Kelly" <lists () SHORTESTPATH ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, March 20, 2001 4:52 PM
Subject: Linux box 'infected' with RK15

Hello,

  I'm new to this list so please correct me if I step out line here :)

  I have just been handed a Linux web server at my new work place which
appears to have been 'infected' with something called RK15 (Rootkit15, I
believe).  I'm pretty sure I know *how* they got in, but I'm more
interested in *what* this RK15 does.

  I have the install script which installs precompiled binaries of
utilities like ifconfig, top, ps, login - the usual for rootkits (it seems
to mention some actual exploit binaries [t666, wu-exploit] but these are
not on the system.

  There also appears to be a 'new' service listening on a TCP port which,
when opened with telnet, returns a non-sensical string of about 8
characters and seems to be prompting for a response (sorry for the
vagueness - I'm writing this from memory at the moment).

  Does anyone have any knowledge of this rootkit, or have any comments on
the above?

  Thanks,

--
Sean Kelly <lists () shortestpath org>

Current thread:

Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
  - Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
  - Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)