Security Incidents mailing list archives
New toolkit (maybe)
From: Devdas Bhagat <devdas () worldgatein net>
Date: Thu, 7 Dec 2000 20:06:35 +0530
We had two machines taken out, both running Redhat 6.1. The cracker did the following things: Modified login, ps, ls, who, w, $PATH, netstat, lsof (to put sbin in first) [Maybe some more modifications as well--being told to do nothing for ten hours and then do an analysis is not good for the analyser]. Linked /root/.bash_history to /dev/null. Changed permissions on the above files, as well as made /etc/rc.d/rc.sysinit non-executable. Installed rtty, cons.saver, ssh[trojan], gib[Perl script to open random ports], pback, a file called ..{6 nonviewable characters]belina in /usr/local/man/man1,/dev/hd10, a couple more entries in /dev. nas, jcd, qmgr and auds were installed. tar was modified on one of the machines, but not the other. The date on sshd was August 30, the date on the ssh-client and keygen was June 15 I had no backup disks (and still have none :() on which to dump the contents of the disk for forensic analysis, so I can't provide the files for analysis. [Of course, the data is backed up] Opened ports 22/tcp, 996/tcp, 12213/tcp, 18186/tcp, 18666/tcp. The machine is rebuilt, so I can't find out which other files were modified. Also, the machines being production machines, I couldn't even mount the disks ro (mail servers), so I can't analyse the logs. Does anyone know of a toolkit that does this? Particularly the changed dates. A google search and a securityfocus search have turned up nothing. Devdas Bhagat -- I'm going to Boston to see my doctor. He's a very sick man. -- Fred Allen
Current thread:
- New toolkit (maybe) Devdas Bhagat (Dec 11)
- Re: New toolkit (maybe) Perry Harrington (Dec 12)