Re: RedHat compromise

[Justin Shore <macdaddy () NEO PITTSTATE EDU>]

Well, if there is a hardcoded IP within the binary, 'strings
hacked_binary | less' might help.  I doubt that's the case though.  If
the logs are cleansed, about the only thing left is to fire up a packet
sniffer watching all traffic to and from that machine and let it be.
That might not be feasible if the machine is one you actually need to use
though.

HTH
  Justin

On 2/20/01 11:50 PM Jim Roland said...

> Thanks to everyone for their input.  One last question, what's the best way
> to find out his IP address without running his trojans and waiting for him
> to connect?  Based on the "allow" IP list, I know he's coming from 24.*
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jim Roland, RHCE (RedHat Certified Engineer)
> Owner, Roland Internet Services
>    "Never settle with words what you can settle with a flamethrower"
>          -- Anonymous
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ----- Original Message -----
> From: "Andreas Östling" <andreaso () IT SU SE>
> To: <INCIDENTS () SECURITYFOCUS COM>
> Sent: Tuesday, February 20, 2001 3:49 PM
> Subject: Re: RedHat compromise
>
>
> > > This looks to be the same MO as another box I've seen.  That smb binary
> > > is a modified telnetd (and I believe the password is "Sh!t").  And yeas,
> > > it was probably the Bind hole that got you.
> > >
> > > BTW: use fsck to check your partition map before you reboot... you
> > > probably don't have one anymore :)
> >
> > I've also seen this (on a RH 6.0/i386).
> > Here is a quick spontanious summary of other things that were found.
> > (probably not 100% correct)
> >
> > * /usr/sbin/cronlogd - sniffer, using /dev/portd/.log as log file and
> > /dev/portd/.pid as pid file
> >
> > * ls,du - modified to hide files listed in /dev/ptyy
> > (.addro,.log,.pid,portd,ptyv,ptyu,ptyy)
> >
> > * ps - modified to hide processes listed in /dev/ptyu
> > (cronlogd,synk5,jess,smurf,ipzoner,imapdx,namedx)
> >
> > * BIND was upgraded to 8.2.3.
> >
> > * netstat - modified to hide addresses/ports listed in /dev/ptyq
> > (24.,54321, 27665)
> >
> > * syslogd - modified to hide entries containing strings listed in
> > /dev/ptyv (il,net,edu,com,org)
> >
> > * tcpd was modified (probably to always allow addresses listed in
> > /dev/hdbb)
> >
> > * entries added to /etc/services:
> > smbd2           54321/tcp       # Samba
> > working         1120/tcp        # Kerberos working daemon
> >
> > * Trin00 DDoS daemon found as /usr/sbin/init
> >   (its old pid files (.la.pid) were found in several places)
> >
> > * /usr/sbin/init restarted in cron every 5 minutes
> >
> > * in.telnetd was listening on port 1120/TCP:
> > lsof: inetd      1671 root   15u  IPv4 110913       TCP *:working (LISTEN)
> > inetd.conf: working stream  tcp     nowait  root    /usr/sbin/tcpd
> in.telnetd
> > I probably forgot a few things here, but at least it something to look out
> > for. Does anyone have a full description (or just more information) of
> > this rootkit(/worm?)?
> >
> >
> > Regards,
> > Andreas Östling



--
Justin Shore, ES                Pittsburg State University
Network & Systems Manager       Kelce 157Q
Office of Information Systems   Pittsburg, KS 66762
Voice: (620) 235-4606           Fax: (620) 235-4545
http://www.pittstate.edu/ois/

Warning:  This message has been quadruple Rot13'ed for your protection.