Re: nasty tripwire report

[Patrick <p-diddy () wolverinefreight ca>]

Running strings on the compromised binaries will often give you a hint 
to the rootkit which they came from.

You may find the author's handle or some other interesting piece of info 
out, and combined with the list of replaced binaries, should be able to 
fingerprint the rootkit, and hopefully the point of entry.

Gideon Lenkey wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Chester,
>
> On Sun, 13 Jan 2002, Chester Jankowski wrote:
>
> /* It looks like someone wasn't watching their Saturday morning cartoons
> /* yesterday and decided to crack my home Linux box instead. I have included
> /* the juicy bits from the tripwire report below. Now I have several questions
> /* for the security experts here. Is this attack a recognized one?
>
> This really isn't an 'attack' per se, but it looks like a root kit. It
> would appear to be a combination of a library and trojan kit. I don't
> immediately recognize it, but hopefully someone else on the list will.
>
> /* Any suggestions for log analysis to track down the intruder?
>
> If you have any network traces you could probably see where he came from
> and the type of exploit he used to get into your system.  It will most
> likely just be another compromised host, the owner of which you could
> contact as a good neighbor.  You can also grep through your messages log
> file as well as your sendmail log file.  Often times you can see the
> connection from the exploit he used and sometimes an automated exploit
> tool sends an email out after it gains control of your system.
>
> Another option is to set up a sniffer between it and the Internetl on
> your network and wait for him to return (DANDER! DANGER! DANGER! Will
> Robinson). As he changed your sshd though, I suspect he'll come in via
> that route so you won't see the commands he types, but you'll see where
> he connects from.  If do this, be VERY careful to watch outgoing traffic,
> or he may attack someone else from your machine. Be prepared to cut him
> off immediately. If he sees you watching, he may try to damage your
> system to make forensic analysis more difficult.
>
> For a great treatment on how to automate this traffic 'cut-off' on a
> Linux box using IPTables, see:
>
>         http://project.honeynet.org/papers/honeynet/rc.firewall
>
> /* Is the only recovery here a complete re-install?
>
> It's definitely the safest! However, your tripwire looks like it's set up
> pretty good, so you could just restore the files that have changed and
> removed the directories and files that have been added.  You'll want to
> check their checksums again.  I would also move a trusted, statically
> linked copy of lsof onto the system afterwards and carefully examine all
> processes and listening ports.
>
> /* And lastly, is there any place I should report the incident?
>
> If you feel inclined, you should report this to CERT.
>
>         http://www.cert.org/reporting/incident_form.txt
>
>
> - --Gideon
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.5 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE8Qw27H1ef35JVa+wRArOYAJ9ZyyWCVtLivY5L9Ce6J+CiluimSgCgqb4b
> UldbbX7f3uHaQicZ9Ltn3bM=
> =pX7v
> -----END PGP SIGNATURE-----
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com