Security Incidents mailing list archives
Re: Linux box 'infected' with RK15
From: "Miller, Toby" <ToMiller () USAID GOV>
Date: Thu, 22 Mar 2001 13:22:05 -0500
A cheap man's way of checking binaries(if you did not use tripwire) is to use rpm -Vf "name of file(s)". Another great tool is lsof. I would rebuild it from source but it is still a great tool. BTW, if you need a great resource on forensics see: http://staff.washington.edu/dittrich/misc/forensics. I highly recommend this document. Toby -----Original Message----- From: Jim Roland [mailto:jroland () ROLAND NET] Sent: Wednesday, March 21, 2001 4:10 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Linux box 'infected' with RK15 You have indeed been rootkitted. The most frequent service taken over is telnet, and the "normal" telnet service has been moved to a different port. You can try inquiring as to the listening ports with a "netstat -atn", however netstat and route are typically taken over and will hide these hijacked ports, if they did the rootkit was done completely. You can consider any binaries and /dev and /etc files on your system officially unusable. Restore from a backup, or hopefully you may have used a program called TripWire that will show you files that have been modified (tripwire creates a checksum of each file to inquire modifications). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Sean Kelly" <lists () SHORTESTPATH ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, March 20, 2001 4:52 PM Subject: Linux box 'infected' with RK15
Hello, I'm new to this list so please correct me if I step out line here :) I have just been handed a Linux web server at my new work place which appears to have been 'infected' with something called RK15 (Rootkit15, I believe). I'm pretty sure I know *how* they got in, but I'm more interested in *what* this RK15 does. I have the install script which installs precompiled binaries of utilities like ifconfig, top, ps, login - the usual for rootkits (it seems to mention some actual exploit binaries [t666, wu-exploit] but these are not on the system. There also appears to be a 'new' service listening on a TCP port which, when opened with telnet, returns a non-sensical string of about 8 characters and seems to be prompting for a response (sorry for the vagueness - I'm writing this from memory at the moment). Does anyone have any knowledge of this rootkit, or have any comments on the above? Thanks, -- Sean Kelly <lists () shortestpath org>
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)