Security Incidents mailing list archives
Re: another rootkit - one more file (fwd)
From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>
Date: Mon, 4 Jun 2001 13:30:17 -0700 (PDT)
HI Michal thanx for posting your detailed comments... i don't recall if i posted a reply to you or to the list or not.. - am adding that this rootkit worked on my "patched" slackware-7.0 system - i think the exploited the wu-ftpd-2.6.0 bugs ??/ ( since i have ftp logins from 200.248.162.140 around June 01 ( 04:40am and been playign for a few hours as seen on the time ( stamps on the rootkit directories - ie... the slackware-7.0 patches is NOT sufficient to fix the exploits... ( either wu-ftpd or bind-8.2.2 which i patched again after the attack... i am hoping they come back and "test it" again.. thanx michal and others that have sent info/comments the maniac-rk (?) tarball is at http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/ - look for hacker_Jun.01.* thanx alvin On Mon, 4 Jun 2001, Michal Zalewski wrote:
Alvin told me it might be good to forward it to INCIDENTS. There are my comments on the binaries of this rootkit I got from him - you might want to check if you have one already ;-): - The rootkit itself is called 'ManiaC r00tkit' (how pathetic). We were not able to find it anywhere on the net (searching for filenames and such), so I presume it is pretty new, - It consists of a sniffer, few trivial backdoors, DoS tools, bnc IRC bouncer, setuid shell and so on. It uses Ava/Adore kernel module to hide itself, and replaces few binaries, modifies one rc script - it is not too advanced, - Rootkit installation script: echo "Copiando os arquivos necess.rios." This sounds like Portuguese or so, which probably tells us about its origins. - It removes few patterns from logfiles. That would be: 200.195.86.*, 200.248.162.*, 200.195.121.*, 200.243.17.*, netdados.com.br, usinet.com.br - I presume these are networks attacker used for defacements (how smart to put them in the script in this form!), - It sends information about machine to tuiqoitu039t09q3 () bigfoot com, bnadfjg9023 () hotmail com, t391u9t0qit () end-war com, mki62969o () yahoo com. One of these mailboxes is still working (bigfoot.com, others are provided as a decay or so), - pt07 and mailrc binaries are backdoors. Listening on 56789/tcp, with password "include.h", it hides under the name of "klogd": Trying 0.0.0.0... Connected to 0. Escape character is '^]'. include.h Bem Vindo MaNiAc 31337 a sua makina! Voce Tem o controle! =) bash: no job control in this shell bash-2.01# Once again, I haven't seen any mention of this backdoor port anywhere. Hope that helps, -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
Current thread:
- Re: another rootkit - one more file (fwd) Michal Zalewski (Jun 04)
- RE: another rootkit - one more file (fwd) Fernando Cardoso (Jun 04)
- Re: another rootkit - one more file (fwd) John Oliver (Jun 04)
- Re: another rootkit - one more file (fwd) Alvin Oga (Jun 05)
- Re: another rootkit - one more file (fwd) root (Jun 05)
- RE: another rootkit - one more file (fwd) Fernando Cardoso (Jun 04)