RedHat 6.2 boxes root'ed, shitc.tgz installed

[josh <dorqus () FREEK COM>]

A client of our companies had 5 or so RedHat 6.2 boxes
rooted (default install, everything enabled - that's what they
get for not letting us build 'em ;)

The attackers left behind a tarball called 'shitc.tgz'
in /usr/bin/.../.terminfo
There is a modified sshd /bin/fgry which listens on port 5665
and /bin/in.slogind that listens on port 19000.

There was also a bouncer, mdidentd, etc.  Plus a litle
shell script called "die" to install all the good stuff for you.
It left text files in /dev/hdaa, /dev/ddth3, /dev/ddtz1 that
are config files for the modified programs to ignore.

Binaries replaced are:
ls, named, nc, netstat, ps, pstree, rpc.statd, sloging, syslogd, and top.

The tarball also came with some DoS tools - boink, bonk, citra, flip, frag,
jolt, lod, land, land2, land2, moyari13, nestea, ntear, smbquery,
ssping, syndrop, tear2, teardrop, w2, whisper, ww.

The rootkit also came with a bunch of network scanning utilities
and the like.

Just a heads up - scan your boxes for ports 5665 and 19000.
There also could be processes listening on ports 24, 63, 1900,
and 6667. (If you don't already have ircd running)

--
josh