Security Incidents mailing list archives

RPC EXPLOIT statdx

From: "John Stauffacher" <stauffacher () chapman edu>
Date: Tue, 22 Jan 2002 18:05:32 -0800

In the past few days my firewall has picked up a surge of rpc related
exploits (statdx) coming from the UK and various other off-shore sites.
Anyone else see any strange rpc related activity, or am I just suddenly
the target of pissed off script kiddies.


++
John Stauffacher
Network Administrator
Chapman University
stauffacher () chapman edu
714-628-7249

-----Original Message-----
From: Vladimir Ivaschenko [mailto:hazard () francoudi com] 
Sent: Tuesday, January 22, 2002 1:43 PM
To: incidents () securityfocus com
Subject: optic rootkit (was Re: xsf/xchk)

By using "strings" I have found that changed binaries to point to
files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo,
the name of the rootkit is "Optic Kit". I couldn't find anything
about it using Google. If somebody is interested, I can share
needed information and the rootkit itself. I have made a copy of
the rookit-related files that I found. wtmp was removed, and
/var/log/messages was cleaned to remove references about attacker
- e.g. FTP "connection opened" messages.

We are going to reinstall the system, so please email me ASAP if
you're interested to know any additional details.

Vladimir Ivaschenko wrote about "xsf/xchk":

Hi,

Today a RedHat 7.1 Linux machine of my friend was compromised.  
I have just started investigating, so I don't have any 
information of how it was done. After attack login via console 
stopped working.

I have found the following files in /usr/bin: xchk and xsf. They
are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
sitting on port 14859. I don't know what is the purpose of xchk.
killall and ps were also replaced by programs which hide xsf and
xchk.

Does anyone saw something similar before and can point me to some 
information? I tried searching for xsf / xchk in Google and 
didn't have any results.

-- 
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)


-- 
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

xsf/xchk Vladimir Ivaschenko (Jan 22)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)
  - RPC EXPLOIT statdx John Stauffacher (Jan 23)
    - Re: RPC EXPLOIT statdx Brian (Jan 23)