Re: Linux box 'infected' with RK15

["Miller, Toby" <ToMiller () USAID GOV>]

A cheap man's way of checking binaries(if you did not use tripwire) is to
use rpm -Vf "name of file(s)". Another great tool is lsof. I would rebuild
it from source but it is still a great tool. BTW, if you need a great
resource on forensics see:

http://staff.washington.edu/dittrich/misc/forensics.

I highly recommend this document.

                                                        Toby

-----Original Message-----
From: Jim Roland [mailto:jroland () ROLAND NET]
Sent: Wednesday, March 21, 2001 4:10 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Linux box 'infected' with RK15


You have indeed been rootkitted.  The most frequent service taken over is
telnet, and the "normal" telnet service has been moved to a different port.
You can try inquiring as to the listening ports with a "netstat -atn",
however netstat and route are typically taken over and will hide these
hijacked ports, if they did the rootkit was done completely.

You can consider any binaries and /dev and /etc files on your system
officially unusable.  Restore from a backup, or hopefully you may have used
a program called TripWire that will show you files that have been modified
(tripwire creates a checksum of each file to inquire modifications).


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
    "Never settle with words what you can settle with a flamethrower"
          -- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----
From: "Sean Kelly" <lists () SHORTESTPATH ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, March 20, 2001 4:52 PM
Subject: Linux box 'infected' with RK15


> Hello,
>
>   I'm new to this list so please correct me if I step out line here :)
>
>   I have just been handed a Linux web server at my new work place which
> appears to have been 'infected' with something called RK15 (Rootkit15, I
> believe).  I'm pretty sure I know *how* they got in, but I'm more
> interested in *what* this RK15 does.
>
>   I have the install script which installs precompiled binaries of
> utilities like ifconfig, top, ps, login - the usual for rootkits (it seems
> to mention some actual exploit binaries [t666, wu-exploit] but these are
> not on the system.
>
>   There also appears to be a 'new' service listening on a TCP port which,
> when opened with telnet, returns a non-sensical string of about 8
> characters and seems to be prompting for a response (sorry for the
> vagueness - I'm writing this from memory at the moment).
>
>   Does anyone have any knowledge of this rootkit, or have any comments on
> the above?
>
>   Thanks,
>
> --
> Sean Kelly <lists () shortestpath org>