Security Incidents mailing list archives
Re: New maniac rootkit
From: Chris Ess <azarin () tokimi net>
Date: Thu, 21 Jun 2001 10:34:24 -0400 (EDT)
I don't know of how much help I can be, but...
-rwxr-xr-x 1 root root 44313 Apr 2 15:24 bnc - Bot Net Client? bnc.conf mentions port 6667 -rw-r--r-- 1 root ftp 52 May 11 08:19 bnc.conf - bnc's config file
I think bnc is short for 'bouncer'. It's a program you use to connect to an IRC server that allows you to alter your host information. You might be able to use it to mislead other sorts of applications but I'm unsure. One thing that script kiddies like to use bouncers for is getting access to IRC networks from which they have been banned.
-rwxr-xr-x 1 root root 16533 Apr 3 13:30 maniac3 - No clue. Perhaps someone on the list can ID this
Did you run strings on it? The output could be helpful in identification. I don't know of what that would be though.
There is at least one more file here, called sush, for su'ed shell, I believe. This is what running on port 45559.
Nice... I'll remember to start watching my firewall logs for that port too.
adore.o and ava prob hide themselves at the kernel level, so they are prob there, I just can't see them.
Did you try an lsmod ?
2 backdoors: in /usr/sbin/mailrc Senha errada. Foda-se l4mm0! Bem Vindo MaNiAc 31337 a sua makina! Voce Tem o controle! =)
If I /had/ to guess, I'd say that's Portuguese.
in /dev/ptyxx/.proc (runlevels?) 2 eggdrop
Was there an eggdrop bin in the root kit? (I missed it in your list if there was one.)
2 httpd
(These numbers don't look like runlevels for what its worth.) Why is this one here? Might be a good question to ask.
I also know it's making IRC connections, plus has at least one rootshell running.
That would be explained through bnc. Also, if there was an eggdrop bin, that would explain it too. (eggdrop is a kind of IRC bot for those who are unfamiliar.)
I can't confirm this without modifying bits of the box, to replace ps with a known good copy, and I can't do that until one of my colleagues looks at it to get first hand experience.
I'd say glean all the information you can and then wipe the box entirely and reinstall. Not much else you can do. --CAE Kujikenaikara! Sub caelo noctis sto quod stellae mihi spem dant. "Just a whisper. I hear it in my ghost." --Major Matoko Kusanagi, "Ghost in the Shell"
Current thread:
- New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
- Re: New maniac rootkit Aropalo Tommi (Jun 22)