Security Incidents mailing list archives

Re: RedHat 6.2 boxes root'ed, shitc.tgz installed

From: Jeremy Gaddis <jlgaddis () BLUERIVER NET>
Date: Sat, 21 Oct 2000 11:43:05 -0500

On Wed, 18 Oct 2000, josh wrote:

A client of our companies had 5 or so RedHat 6.2 boxes
rooted (default install, everything enabled - that's what they
get for not letting us build 'em ;)

The attackers left behind a tarball called 'shitc.tgz'
in /usr/bin/.../.terminfo
There is a modified sshd /bin/fgry which listens on port 5665
and /bin/in.slogind that listens on port 19000.


[snip]

Seen the same thing a month or two ago.  I
made a similar post to incidents and posted
a URL where the shitc.tgz could be obtained.

IIRC, some of the various /dev/* files are
used as some type of "configuration" files
for the various trojaned binaries.  Netstat,
for example, reads one of the files and will
not show any connections to or from the 24/8
and 63/8 networks, nor connections to ports
6667 and 19000.

BTW, for anyone who wants the rootkit, it's at:
http://www.blueriver.net/~jlgaddis/shitc.tgz.
About 2.1 MB, IIRC.

-jg

--
Jeremy L. Gaddis     <jlgaddis () blueriver net>

Current thread:

RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 19)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Scott Nursten (Oct 20)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Andreas Östling (Oct 20)
  - Re: RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 24)
  - Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Bill Burge (Oct 24)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Jeremy Gaddis (Oct 24)