Security Incidents mailing list archives

Re: rooted with lots of files in /dev/sdc0/.nfs01

From: ken () VORTEXCORP COM (Ken Lyon)
Date: Thu, 24 Feb 2000 19:51:53 -0500


My guess is you have a clear text password file out there on your system
and maybe not on the root partition.
Sauber came into one of my systems last Nov. Doh, I was using qpopper beta.
Back to 2.53
Qpopper buffer overflow (or at least the tail end)  was in a not-so-common
log setup I use, so a common rootkit didn't clean it.
U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U^??;U
  ^??;U^??;U^??;U^??;U^??;U^??;
It sent mail:
sendmail[11082]: LAA11079: to=b1ue () hotmail com, ctladdr=root (0/0),
sshd[11090]: log: Connection from 206.82.141.102 port 61189

If I remember, the name of the clear-text password file is in the t0rnsniff
or sauber file.
Your who may not work right either.

I took a look at the connecting sshd IP with nmap and ntis. Very interesting.
I reported the incident to CERT.
I hadn't joined this list, or even knew much about it until the door broke.

I don't know about the kernel module, I missed that and everything is a
fresh install.

...bh

At 09:49 PM 2/23/00, Jeff Macdonald wrote:

Has anyone seen this?

Some files of interest:

[root@hacked .nfs01]# ls
amdex             ssh_config        sshbd.tgz         t0rnparse
rpcscan           ssh_host_key      sshconfig.tgz     t0rnsniff
sauber            ssh_host_key.pub  sshd
ssh               ssh_random_seed   sshd_config

Also, ps showed the programs scan and z0ne. But doing a find for those
files turned up no results, even after replacing find. However, after
rebooting, find found the files.

So this leads me to believe that there was also a kernel module hiding
searches for scan and z0ne.
To top things off, /etc/rc.d/rc.sysinit was appended with this:

#Inetd startup
if [ -x /usr/sbin/in.inetd ]; then
    /usr/sbin/in.inetd -s
fi

which was listening on port 511. A strings shows this string of interest:

leeto's socket demon, v1.0 (c) spam 1998.

So, does anyone know what the kernel module name might be?


------------------------------------------------------------------
Ken Lyon
Network Operations Center - Vortex Technologies, Inc.
http://www.VortexCorp.com/
Voice: +1 732.918.6004 / FAX: +1 732.918.6005

"..It don't mean a thing if you cain't get that Ping...."
Duke Ellington, 1932
-----------------------------------------------------------------

Current thread:

rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
  - Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
  - Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
  - Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
  - Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)