Re: any1 stumbled across eCkit ?

[Fredrik Ostergren <fredrik.ostergren () freebox com>]

Mailer: SecurityFocus
In-Reply-To: <3.0.5.32.20011126231858.01d7f750@192.168.168.1>

> Received: (qmail 27995 invoked from network); 26 
Nov 2001 22:50:15 -0000
> Received: from outgoing3.securityfocus.com 
(HELO outgoing.securityfocus.com) (66.38.151.27)
>  by mail.securityfocus.com with SMTP; 26 Nov 
2001 22:50:15 -0000
> Received: from lists.securityfocus.com 
(lists.securityfocus.com [66.38.151.19])
>       by outgoing.securityfocus.com (Postfix) 
with QMQP
>       id 6A9F1A3118; Mon, 26 Nov 2001 
15:17:42 -0700 (MST)
> Mailing-List: contact incidents-
help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <incidents.list-id.securityfocus.com>
> List-Post: <mailto:incidents () securityfocus com>
> List-Help: <mailto:incidents-
help () securityfocus com>
> List-Unsubscribe: <mailto:incidents-
unsubscribe () securityfocus com>
> List-Subscribe: <mailto:incidents-
subscribe () securityfocus com>
> Delivered-To: mailing list 
incidents () securityfocus com
> Delivered-To: moderator for 
incidents () securityfocus com
> Received: (qmail 6601 invoked from network); 26 
Nov 2001 22:18:56 -0000
> Message-Id: 
<3.0.5.32.20011126231858.01d7f750@192.168.168.1
> X-Sender: pvzweden@192.168.168.1
> X-Mailer: QUALCOMM Windows Eudora Pro 
Version 3.0.5 (32)
> Date: Mon, 26 Nov 2001 23:18:58 +0100
> To: incidents () securityfocus com
> From: Patrick van Zweden 
<patrick () vanzweden nl eu org>
> Subject: Re: any1 stumbled across eCkit ?
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
>
> At 16:40 26-11-2001 -0500, you wrote:
> >   Can you tell us more about what programs were 
altered and
> > what directories you found the rootkit in?
>
> Sure.
>
> They tried to alter ps, dir, top, slocate, lsof, ifconfig, 
netstat, md5sum,
> pstree, sylogd, in.fingerd, ls and installed a trojaned 
ssh. Most
> modifucations failed due the immutable bit which is 
set on most important
> binaries. Also xntps was installed which is a 
trojaned ssh deamon. The
> xntps read it's config file from /lib/lblip.tk and listened 
on the port 48883.
> Also installed (but not used on my system) were 
libproc.a and libproc.so
> version 2.0.6. I guess they are installed to hide 
some process.

tk = t0rnkit.

a well-known rootkit which is common in the 
scriptkiddie world. Alot of different versions 
circulating. Try doing strings ps | grep /
and check for suspicious strings. Go check those 
files and you will find the controlling file. Also check 
the ls trojan for the same stuff.

> In /lib/ldd.so/ i found the patch script and a file called 
td. Strings
> revealed that it is some kind of testing program but i 
don't know for sure. 

Probably not tfn2k, more likely it's stacheldraht which 
is also often included with those different t0rnkit 
versions.

> Well, that's it so far. I'm currently looking for more 
suspicious things.
> Luckily they installed programs which require glibc, 
which doesn't exists
> on the system. So searching for the string GLIBC 
reveals a lot.
> If you like i can send you the whole stuff i've found 
so far.

Contact me at press () alldas de if you need more info 
or if you wan't me to do an analysis or something. 
Thanks!

/ Fredrik

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com