Re: another rootkit - one more file

[Alvin Oga <alvin.sec () Mail Linux-Consulting com>]

hi  ya

for those of you looking at this stuff,...

i missed one file ....  that tripwire found ...that i skipped over

-rwxr-xr-x   1 root     root        14443 May 31 09:54 /usr/lib/pt07*

thanx
alvin
http://www.Linux-Sec.net 


> On Sat, 2 Jun 2001, Michal Zalewski wrote:
>
> > On Fri, 1 Jun 2001, Alvin Oga wrote:
> >
> > > just was curious why i couldnt find any references on any of the
> > > "unique" keywords ( maniac-Rk, grabb, ipz.gz ...
> >
> > I haven't seen it anywhere else, but it seems to be built using
> > publicly available, common stuff...
> >
> > > -rwxr-xr-x   1 root     root         5043 Mar 23 07:18 addlen*
> >
> > This is a program to pad replaced file with zeros to match its original
> > size.
> >
> > > -rw-r--r--   1 root     root         5744 May 31 10:10 adore.o
> > > -rwxr-xr-x   1 root     root        14248 May 31 10:10 ava*
> >
> > That is pretty popular kernel-level backdoor, designed by stealth (to
> > parts, kernel-space and user-space).
> >
> > > -rwxr-xr-x   1 root     root         1080 Mar 23 07:48 clear_logs*
> >
> > Hard to identify - pretty small, probably invokes vanish2 (is it a shell
> > script?).
> >
> > > -rwxr-xr-x   1 root     root         7985 Mar 23 07:38 fix*
> >
> > This one is used to fix checksums of files (not md5 digests ;).
> >
> > > -rwxr-xr-x   1 root     root        10171 May  4 12:39 grabbb.gz*
> >
> > That would be a banner scanner, publicly available.
> >
> > > -rwxr-xr-x   1 root     root         5220 Jun  1 18:53 install.sh*
> >
> > ...and this script would invoke 'addlen' and 'fix' ;)
> >
> > > -rwxr-xr-x   1 root     root         4734 May  8 10:04 ipz.gz*
> >
> > /* members.xoom.com/i0wnu
> >  * IPZ by Mixter (c) 1999
> >  * Generates IP Addresses for Class A/B/C SubNets
> >  * in non-sequential order (for unnoticed scanning). */
> >
> > > -rwxr-xr-x   1 root     root        10496 Mar 23 07:48 pine.out*
> >
> > (unidentified, probably worth a look)
> >
> > > -rwxr-xr-x   1 root     root         9070 May  4 11:55 slice*
> >
> > This seems to be one of DDoS attack proggies.
> >
> > > -rwxr-xr-x   1 root     root        15335 May 31 09:58 ping*
> >
> > Well, that would be standard ping utility, I presume, carried for some
> > reason.
> >
> > > -rw-r--r--   1 root     root        19700 Jun  1 18:03 snifflog
> > > ---s--s--x   1 root     root        11869 Apr  4 19:10 sush*
> >
> > This one is pretty interesting. I know only a few exploits that use this
> > name:
> >
> >   - suidperl
> >   - old crontab exploit
> >   - Linux 2.2 capabilities exploit
> >
> > But last two uses /tmp, not current directory, for creating 'sush'.
> >
> > > -rwxr-xr-x   1 root     root        12405 May 31 09:38 vanish2.gz*
> >
> > And that would be another log cleaner.
> >
> > > -rwxr-xr-x   1 root     root        58068 May 19 06:58 wget.gz*
> > > -rwxr-xr-x   1 root     root        20445 Apr  2 12:24 bnc.gz*
> > > -rwxr-xr-x   1 root     root        14319 May 31 10:05 tty*
> >
> > These proggies seems to be not harmful.
> >
> > -- 
> > _____________________________________________________
> > Michal Zalewski [lcamtuf () bos bindview com] [security]
> > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
> > =-=> Did you know that clones never use mirrors? <=-=