Security Incidents mailing list archives

RECAP: possible rootkit, maybe partial?


From: "Benjamin Tomhave" <falcon () cybersecret com>
Date: Thu, 3 Apr 2003 14:45:17 -0700

First off, thank you to everyone who responded!  Very helpful information
that has allowed me to recover more gracefully on at least a couple systems.

Second, just a brief recap.  I'm fairly positive now that the first machine
(of four) was compromised due to a missing patch.  Being an older Cobalt
RaQ4r, it likely presented itself as a nice, soft target.  I believe that
the other three machines (all RH8) were compromised after the attacker
gathered info from the primary victim; info such as passwords, etc.  On the
3 RH8 systems, I do show single ssh connections lasting a couple minutes at
the same time list on the .sk12 folder and it's contents.  This leads me to
believe that the attacker used ssh to remotely install the rootkit, perhaps
by cat the file and piping it to ssh, or something along those lines.

The Cobalt system had to be completely rebuilt.  It got eaten alive,
basically.  One of the RH8 systems also had to be rebuilt because it ceased
wanting to reboot after I tried to manually remove the .sk12 directory (I
had not seen previous notes about /sbin/init*).  The second RH8 system
(third victim) was rebuilt for good measure (it was a good opportunity to
add another NIC for dual-homing).  The final RH8/compromised system is
currently still up, just with the network cable disconnected, so that it can
be studied later.

Again, I wish to thank everyone for their generous assistance with this
matter!  I've had my head in architecture design for so long that I was very
out-of-sorts with the best method for incident response and triage.

cheers,

-ben


----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents


Current thread: