Security Incidents mailing list archives

Re: hpd, afb, sc, and sn

From: Greg Barnes <greg () ins com>
Date: Fri, 20 Dec 2002 16:19:04 -0600

Gordon,

Check out:
http://www.ebagu.com/hacked.html




Friday, December 20, 2002, 3:11:31 PM, you wrote:


GC> I found suspicious looking files on a Redhat 7.1 Linux server earlier
GC> today.  Can anyone confirm or deny that the machine has been hacked?

GC> The files:
GC> /usr/bin/hpd
GC> /usr/bin/afb
GC> /usr/bin/sn

GC> The following line is in /etc/rc.local:
GC> /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null

GC> The contents of hpd are:
GC> #!/bin/sh
GC> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
GC> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

GC> namp reports the following ports open:
GC> Port       State       Service
GC> 5/tcp      open        rje                     
GC> 22/tcp     open        ssh                     
GC> 25/tcp     open        smtp                    
GC> 53/tcp     open        domain                  
GC> 80/tcp     open        http                    
GC> 111/tcp    open        sunrpc                  
GC> 443/tcp    open        https                   
GC> 808/tcp    open        unknown                 
GC> 1024/tcp   open        kdm                     
GC> 3306/tcp   open        mysql                   
GC> 7000/tcp   open        afs3-fileserver         
GC> 8009/tcp   open        ajp13          

GC> According to an rpm -V, all kinds of binaries have been changed: ps,
GC> top, netstat, ifconfig, ...

GC> I copied a good version of ps in and found the two afb processes
GC> running.

GC> Anyone know about this hack, what afb does and/or how they usually get
GC> in?

GC> Embarrassedly, 
GC>  -Gordon



-


Regards,

Greg Barnes       DotDot: greg at ins.com
CISA/CISSP       RingRing:  918-630-3228
CCSA/CCSE       BeepBeep:  800-467-1467

"But, alas, how frequently, how almost 
universal it is in an author to persuade 
himself of the truth of his own dogmas."
                     --Darwin
PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8  5279 71A5 A594 E6A7 C48E


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)