Security Incidents mailing list archives
Re: any1 stumbled across eCkit ?
From: Fredrik Ostergren <fredrik.ostergren () freebox com>
Date: 29 Nov 2001 09:55:44 -0000
Mailer: SecurityFocus In-Reply-To: <3.0.5.32.20011126231858.01d7f750@192.168.168.1>
Received: (qmail 27995 invoked from network); 26
Nov 2001 22:50:15 -0000
Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
by mail.securityfocus.com with SMTP; 26 Nov
2001 22:50:15 -0000
Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
by outgoing.securityfocus.com (Postfix)
with QMQP
id 6A9F1A3118; Mon, 26 Nov 2001
15:17:42 -0700 (MST)
Mailing-List: contact incidents-
help () securityfocus com; run by ezmlm
Precedence: bulk List-Id: <incidents.list-id.securityfocus.com> List-Post: <mailto:incidents () securityfocus com> List-Help: <mailto:incidents-
help () securityfocus com>
List-Unsubscribe: <mailto:incidents-
unsubscribe () securityfocus com>
List-Subscribe: <mailto:incidents-
subscribe () securityfocus com>
Delivered-To: mailing list
incidents () securityfocus com
Delivered-To: moderator for
incidents () securityfocus com
Received: (qmail 6601 invoked from network); 26
Nov 2001 22:18:56 -0000
Message-Id:
<3.0.5.32.20011126231858.01d7f750@192.168.168.1
X-Sender: pvzweden@192.168.168.1 X-Mailer: QUALCOMM Windows Eudora Pro
Version 3.0.5 (32)
Date: Mon, 26 Nov 2001 23:18:58 +0100 To: incidents () securityfocus com From: Patrick van Zweden
<patrick () vanzweden nl eu org>
Subject: Re: any1 stumbled across eCkit ? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" At 16:40 26-11-2001 -0500, you wrote:Can you tell us more about what programs were
altered and
what directories you found the rootkit in?Sure. They tried to alter ps, dir, top, slocate, lsof, ifconfig,
netstat, md5sum,
pstree, sylogd, in.fingerd, ls and installed a trojaned
ssh. Most
modifucations failed due the immutable bit which is
set on most important
binaries. Also xntps was installed which is a
trojaned ssh deamon. The
xntps read it's config file from /lib/lblip.tk and listened
on the port 48883.
Also installed (but not used on my system) were
libproc.a and libproc.so
version 2.0.6. I guess they are installed to hide
some process. tk = t0rnkit. a well-known rootkit which is common in the scriptkiddie world. Alot of different versions circulating. Try doing strings ps | grep / and check for suspicious strings. Go check those files and you will find the controlling file. Also check the ls trojan for the same stuff.
In /lib/ldd.so/ i found the patch script and a file called
td. Strings
revealed that it is some kind of testing program but i
don't know for sure. Probably not tfn2k, more likely it's stacheldraht which is also often included with those different t0rnkit versions.
Well, that's it so far. I'm currently looking for more
suspicious things.
Luckily they installed programs which require glibc,
which doesn't exists
on the system. So searching for the string GLIBC
reveals a lot.
If you like i can send you the whole stuff i've found
so far. Contact me at press () alldas de if you need more info or if you wan't me to do an analysis or something. Thanks! / Fredrik ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Ian Jones (Nov 26)
- <Possible follow-ups>
- any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Fredrik Ostergren (Nov 29)
- RE: any1 stumbled across eCkit ? Ryan Sweat (Nov 29)