Security Incidents mailing list archives
Re: RedHat 6.2 boxes root'ed, shitc.tgz installed
From: Jeremy Gaddis <jlgaddis () BLUERIVER NET>
Date: Sat, 21 Oct 2000 11:43:05 -0500
On Wed, 18 Oct 2000, josh wrote:
A client of our companies had 5 or so RedHat 6.2 boxes rooted (default install, everything enabled - that's what they get for not letting us build 'em ;) The attackers left behind a tarball called 'shitc.tgz' in /usr/bin/.../.terminfo There is a modified sshd /bin/fgry which listens on port 5665 and /bin/in.slogind that listens on port 19000.
[snip] Seen the same thing a month or two ago. I made a similar post to incidents and posted a URL where the shitc.tgz could be obtained. IIRC, some of the various /dev/* files are used as some type of "configuration" files for the various trojaned binaries. Netstat, for example, reads one of the files and will not show any connections to or from the 24/8 and 63/8 networks, nor connections to ports 6667 and 19000. BTW, for anyone who wants the rootkit, it's at: http://www.blueriver.net/~jlgaddis/shitc.tgz. About 2.1 MB, IIRC. -jg -- Jeremy L. Gaddis <jlgaddis () blueriver net>
Current thread:
- RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 19)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Scott Nursten (Oct 20)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Andreas Östling (Oct 20)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 24)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Bill Burge (Oct 24)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Jeremy Gaddis (Oct 24)