Security Incidents mailing list archives
RPC EXPLOIT statdx
From: "John Stauffacher" <stauffacher () chapman edu>
Date: Tue, 22 Jan 2002 18:05:32 -0800
In the past few days my firewall has picked up a surge of rpc related exploits (statdx) coming from the UK and various other off-shore sites. Anyone else see any strange rpc related activity, or am I just suddenly the target of pissed off script kiddies. ++ John Stauffacher Network Administrator Chapman University stauffacher () chapman edu 714-628-7249 -----Original Message----- From: Vladimir Ivaschenko [mailto:hazard () francoudi com] Sent: Tuesday, January 22, 2002 1:43 PM To: incidents () securityfocus com Subject: optic rootkit (was Re: xsf/xchk) By using "strings" I have found that changed binaries to point to files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo, the name of the rootkit is "Optic Kit". I couldn't find anything about it using Google. If somebody is interested, I can share needed information and the rootkit itself. I have made a copy of the rookit-related files that I found. wtmp was removed, and /var/log/messages was cleaned to remove references about attacker - e.g. FTP "connection opened" messages. We are going to reinstall the system, so please email me ASAP if you're interested to know any additional details. Vladimir Ivaschenko wrote about "xsf/xchk":
Hi, Today a RedHat 7.1 Linux machine of my friend was compromised. I have just started investigating, so I don't have any information of how it was done. After attack login via console stopped working. I have found the following files in /usr/bin: xchk and xsf. They are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon sitting on port 14859. I don't know what is the purpose of xchk. killall and ps were also replaced by programs which hide xsf and xchk. Does anyone saw something similar before and can point me to some information? I tried searching for xsf / xchk in Google and didn't have any results. -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE)
-- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- xsf/xchk Vladimir Ivaschenko (Jan 22)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- Re: RPC EXPLOIT statdx Brian (Jan 23)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)