Security Incidents mailing list archives
Re: RPC EXPLOIT statdx
From: "Brian" <brea () physiometrics SPAM ONLY HELPS A BUSINESS FAIL net>
Date: Wed, 23 Jan 2002 12:40:21 -0500
i'm seeing more port 111 hits lately, too. cn.net, snet.net, elim.net... that last one's mexico. i think i also had a dialogue with some isp in italy about rpc probes, too. yes, i'm certainly seeing more... more FTP than usual, too, frankly. my main surprise was a HUGE burst of Nimda and other port 80 nonsense yesterday and today. Brian Rea Senior Network Engineer PhysioMetrics ----- Original Message ----- From: John Stauffacher <stauffacher () chapman edu> To: <incidents () securityfocus com> Sent: Tuesday, January 22, 2002 21:05 Subject: RPC EXPLOIT statdx
In the past few days my firewall has picked up a surge of rpc related exploits (statdx) coming from the UK and various other off-shore sites. Anyone else see any strange rpc related activity, or am I just suddenly the target of pissed off script kiddies. ++ John Stauffacher Network Administrator Chapman University stauffacher () chapman edu 714-628-7249 -----Original Message----- From: Vladimir Ivaschenko [mailto:hazard () francoudi com] Sent: Tuesday, January 22, 2002 1:43 PM To: incidents () securityfocus com Subject: optic rootkit (was Re: xsf/xchk) By using "strings" I have found that changed binaries to point to files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo, the name of the rootkit is "Optic Kit". I couldn't find anything about it using Google. If somebody is interested, I can share needed information and the rootkit itself. I have made a copy of the rookit-related files that I found. wtmp was removed, and /var/log/messages was cleaned to remove references about attacker - e.g. FTP "connection opened" messages. We are going to reinstall the system, so please email me ASAP if you're interested to know any additional details. Vladimir Ivaschenko wrote about "xsf/xchk":Hi, Today a RedHat 7.1 Linux machine of my friend was compromised. I have just started investigating, so I don't have any information of how it was done. After attack login via console stopped working. I have found the following files in /usr/bin: xchk and xsf. They are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon sitting on port 14859. I don't know what is the purpose of xchk. killall and ps were also replaced by programs which hide xsf and xchk. Does anyone saw something similar before and can point me to some information? I tried searching for xsf / xchk in Google and didn't have any results. -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE)-- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- xsf/xchk Vladimir Ivaschenko (Jan 22)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- Re: RPC EXPLOIT statdx Brian (Jan 23)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)