Re: another rootkit - one more file (fwd)

[Alvin Oga <alvin.sec () Mail Linux-Consulting com>]

HI Michal

thanx for posting your detailed comments...

i don't recall if i posted a reply to you or to the list or not..

- am adding that this rootkit worked on my "patched" slackware-7.0 system
        - i think the exploited the wu-ftpd-2.6.0 bugs ??/
        ( since i have ftp logins from  200.248.162.140 around June 01
        ( 04:40am and been playign for a few hours as seen on the time
        ( stamps on the rootkit directories

        - ie... the slackware-7.0 patches is NOT sufficient to fix the
        exploits... ( either wu-ftpd or bind-8.2.2 which i patched again  
        after the attack... i am hoping they come back and "test it"
        again..

thanx michal and others that have sent info/comments

the maniac-rk (?) tarball is at
        http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/
        - look for hacker_Jun.01.*

thanx
alvin

On Mon, 4 Jun 2001, Michal Zalewski wrote:

> Alvin told me it might be good to forward it to INCIDENTS. There are my
> comments on the binaries of this rootkit I got from him - you might want
> to check if you have one already ;-):
>
> - The rootkit itself is called 'ManiaC r00tkit' (how pathetic). We
>   were not able to find it anywhere on the net (searching for filenames
>   and such), so I presume it is pretty new,
>
> - It consists of a sniffer, few trivial backdoors, DoS tools, bnc
>   IRC bouncer, setuid shell and so on. It uses Ava/Adore kernel module to
>   hide itself, and replaces few binaries, modifies one rc script - it
>   is not too advanced,
>
> - Rootkit installation script:
>
>   echo "Copiando os arquivos necess.rios."
>
>   This sounds like Portuguese or so, which probably tells us about
>   its origins.
>
> - It removes few patterns from logfiles. That would be: 200.195.86.*,
>   200.248.162.*, 200.195.121.*, 200.243.17.*, netdados.com.br,
>   usinet.com.br - I presume these are networks attacker used for
>   defacements (how smart to put them in the script in this form!),
>
> - It sends information about machine to tuiqoitu039t09q3 () bigfoot com,
>   bnadfjg9023 () hotmail com, t391u9t0qit () end-war com, mki62969o () yahoo com.
>   One of these mailboxes is still working (bigfoot.com, others are
>   provided as a decay or so),
>
> - pt07 and mailrc binaries are backdoors. Listening on 56789/tcp, with
>   password "include.h", it hides under the name of "klogd":
>
>   Trying 0.0.0.0...
>   Connected to 0.
>   Escape character is '^]'.
>   include.h
>
>   Bem Vindo MaNiAc 31337 a sua makina!
>   Voce Tem o controle! =)
>
>   bash: no job control in this shell
>   bash-2.01#
>
>   Once again, I haven't seen any mention of this backdoor port anywhere.
>
> Hope that helps,
> -- 
> _____________________________________________________
> Michal Zalewski [lcamtuf () bos bindview com] [security]
> [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
> =-=> Did you know that clones never use mirrors? <=-=