Security Incidents mailing list archives
Re: rooted with lots of files in /dev/sdc0/.nfs01
From: ken () VORTEXCORP COM (Ken Lyon)
Date: Thu, 24 Feb 2000 19:51:53 -0500
My guess is you have a clear text password file out there on your system and maybe not on the root partition. Sauber came into one of my systems last Nov. Doh, I was using qpopper beta. Back to 2.53 Qpopper buffer overflow (or at least the tail end) was in a not-so-common log setup I use, so a common rootkit didn't clean it. U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U ^??;U^??;U^??;U^??;U^??;U^??; It sent mail: sendmail[11082]: LAA11079: to=b1ue () hotmail com, ctladdr=root (0/0), sshd[11090]: log: Connection from 206.82.141.102 port 61189 If I remember, the name of the clear-text password file is in the t0rnsniff or sauber file. Your who may not work right either. I took a look at the connecting sshd IP with nmap and ntis. Very interesting. I reported the incident to CERT. I hadn't joined this list, or even knew much about it until the door broke. I don't know about the kernel module, I missed that and everything is a fresh install. ...bh At 09:49 PM 2/23/00, Jeff Macdonald wrote:
Has anyone seen this? Some files of interest: [root@hacked .nfs01]# ls amdex ssh_config sshbd.tgz t0rnparse rpcscan ssh_host_key sshconfig.tgz t0rnsniff sauber ssh_host_key.pub sshd ssh ssh_random_seed sshd_config Also, ps showed the programs scan and z0ne. But doing a find for those files turned up no results, even after replacing find. However, after rebooting, find found the files. So this leads me to believe that there was also a kernel module hiding searches for scan and z0ne. To top things off, /etc/rc.d/rc.sysinit was appended with this: #Inetd startup if [ -x /usr/sbin/in.inetd ]; then /usr/sbin/in.inetd -s fi which was listening on port 511. A strings shows this string of interest: leeto's socket demon, v1.0 (c) spam 1998. So, does anyone know what the kernel module name might be?
------------------------------------------------------------------ Ken Lyon Network Operations Center - Vortex Technologies, Inc. http://www.VortexCorp.com/ Voice: +1 732.918.6004 / FAX: +1 732.918.6005 "..It don't mean a thing if you cain't get that Ping...." Duke Ellington, 1932 -----------------------------------------------------------------
Current thread:
- rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
- Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
- Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
- Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
- Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)