Re: FYI: Bind compromise

[Jim Olsen <jim () CYBERJUNKEES COM>]

On Tuesday 20 February 2001 19:35, Phil Brutsche wrote:
> I disagree that this is a BIND 8.2.3 exploit.  If it was we probably would
> have heard about it on BugTraq by now :)

As do I, after now having more time to look into it. see my previous post in
response to gabriel rosenkotter.

> I've seen this rootkit (or, at least, this back door) on a RedHat box that
> had no business running, and was not running, BIND.  They were, however,
> running all sorts of other services (it was RedHat 6.0, with *no*
> updates) that had nasty vulnerabilities.
>
> If you still have access to the compromised system, I think you'll find
> some files under /dev/sdc0/ (where the ssh backdoor gets its
> configuration).

/dev/sdc0/ is there with the appropriate config files, yes.

> > I think you will also find /usr/sbin/in.sysched.  I have no idea what that
> does; I've heard it may be a DDoS tool.  I haven't been able to find
> anything conclusive about it on google, and nothing on packetstorm and
> SecurityFocus.

/usr/sbin/in.sysched is not there:
[root@ns4 sbin]# ls in.*
in.amdq     in.ftpd    in.ntalkd  in.rlogind  in.telnetd  in.wuftpd
in.comsat   in.identd  in.popper  in.rshd     in.tftpd    in.xfingerd
in.fingerd  in.mtftpd  in.rexecd  in.talkd    in.timed

> What I know about it starts with the (way too short) thread at
> http://plug.skylab.org/200007/msg00526.html, and another (also way too
> short) at http://www.linux.ie/pipermail/ilug/2000-September/022860.html.
> As well as some stuff in Norwegian.

Thanks for the info.
--
Jim Olsen
Systems Administrator