Re: Linux box 'infected' with RK15

[Sean Kelly <lists () SHORTESTPATH ORG>]

Hello again,

        Thanks to all those who replied.  The original hard drive and a
dd'ed copy of it are sitting on my desk at home and I hope to put some
more investigation into the case this weekend.

        Just a few replies to questions already posted:

ToMiller () USAID GOV asked about how the intruder got in.  The rootkit
install script deleted /var/log/messages, but the machine was running
exploitable versions of wu-ftpd, sendmail and NFS (my colleague wasn't
very good - perhaps that's why I got the job :).  No named was running.  I
shall look through the other logfiles and see if anything more arises.

HallihanPT () navair navy mil asked whether port 123 was the unrecognised
open port.  It wasn't port 123 - it was a port that doesn't match anything
in /etc/services, or for that fact, anything I think I've met before.

dayioglu () metu edu tr asked about obtaining a disk image.  I'd have to ask
my superiors about that one...

        And now a few extra points I've remembered from my initial look.

(1) The rootkit installed an ssh binary (I should have mentioned this
earlier, sorry ;).  I have a strong feeling that this service running on a
non-standard port is something to do with this.

(2) As a new version of ifconfig was installed by the rootkit, I assume
the NIC was set to promisc mode, and was trying to sniff passwords.

(3) An IRC bot was installed.  I have the config file so I know which IRC
servers and channels it was set up to use.

(4) The host that uploaded the rootkit was located in .ro .

        That's it for now.  As I said, I'll look into it more this weekend
if work is not too busy.

        Thanks for all the help so far,

--
Sean Kelly <lists () shortestpath org>