Security Incidents mailing list archives
Re: nasty tripwire report
From: David Worth <cesium () ahpcc unm edu>
Date: Wed, 16 Jan 2002 14:22:45 -0700 (MST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heya, I have become intimately familiar with this specific rootkit recently due to a series of compromises which I investigated. The rootkit's name is Bobkit and is written by the du-crew (DownUnder crew... Sargeant is the author's handle) which used to be found at http://www.du-crew.com which appears to have been compromised (no irony is lost here). The du-crew owns both du-crew.org and du-crew.com and have such cute whois entries... they are k-r@d. Interestingly enough in the cases which I investigated the binaries seemed to be linked against the wrong version of glibc, and were thus causing a SEGFAULT. (It's always interesting to log into a box which has a segfaulting ls but which has an uncompromised stat) This rootkit actually has several parts I didn't see in your tripwire logs which include things like bkit-patch whic actaully upgrades to the newest versions of the rootkit using a version of wget which they include. The kit usually includes backdoored versions of ssh (running on ports > 1024) etc... If anyone wants any futher information on my experiences with the kit feel free to contact me. On Sun, 13 Jan 2002, Chester Jankowski wrote:
It looks like someone wasn't watching their Saturday morning cartoons yesterday and decided to crack my home Linux box instead. I have included the juicy bits from the tripwire report below. Now I have several questions for the security experts here. Is this attack a recognized one? Any suggestions for log analysis to track down the intruder? Is the only recovery here a complete re-install? And lastly, is there any place I should report the incident?
I would look in /var/log/messages*, /var/log/daemon*, /var/log/auth.log*, etc for the intruder and then reinstall from scratch because it appears they compromised a whole chunk of libraries and such which should never be trusted again. - snip -
Added: "/usr/lib/..." "/usr/lib/.../ls" "/usr/lib/.../netstat" "/usr/lib/.../lsof" "/usr/lib/.../bkit-ssh" "/usr/lib/.../bkit-ssh/bkit-shdcfg" "/usr/lib/.../bkit-ssh/bkit-shhk" "/usr/lib/.../bkit-ssh/bkit-pw" "/usr/lib/.../bkit-ssh/bkit-shrs" "/usr/lib/.../bkit-ssh/bkit-shd.pid" "/usr/lib/.../uconf.inv" "/usr/lib/.../psr" "/usr/lib/.../find" "/usr/lib/.../pstree" "/usr/lib/.../slocate" "/usr/lib/.../du" "/usr/lib/.../top"
- snip -
---------------------------------------------------------------------------- --- Rule Name: User binaries (/usr/bin) Severity Level: 66 ---------------------------------------------------------------------------- --- Added: "/usr/bin/ntpsx"
- snip -
---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/ls) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/ls" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/netstat) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/netstat" ---------------------------------------------------------------------------- --- Rule Name: Operating System Utilities (/bin/ps) Severity Level: 100 ---------------------------------------------------------------------------- --- Modified: "/bin/ps"
- snip - - --dave worth ... Crunch crunch crunch CRUNCH crunch crunch crunch CrunCH ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Re8pSp8eEJaiKa8RAgmLAKCMn+gpXDUAgVUAV3UvpLxoUgROxwCeJWec ixSzTb4QvNP+SDJFpr5IpQE= =DY7P -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nasty tripwire report Chester Jankowski (Jan 14)
- Re: nasty tripwire report Gideon Lenkey (Jan 14)
- Re: nasty tripwire report Patrick (Jan 15)
- Re: nasty tripwire report David Worth (Jan 16)
- Re: nasty tripwire report Gideon Lenkey (Jan 14)