Re: Anyone know this rootkit (rootkits?) (details and files attached)

[steveg <steveg () stevegcentral com>]

This looks like a mix of a few different kits.
The binary seem to match the BeastKit but the sauber script (called
cleaner here) came from the t0rn kit.

Basicaly I think it's a mix of a few very common kits rolled up into one.
There might be some new "features" to this one.


On 27 Jul 2002, Steve Bougerolle wrote:

> Ok I went in to clean this up today and managed to save some files.  The
> extent of one rootkit is pretty clear but there are still some leftover
> files that I don't know about. I rebuilt the whole server, not trusting
> the old system at all.  Interestingly, even though I didn't touch the
> original (corrupted) partition, when I mounted it from the new system to
> extract a couple of the rootkit dirs, some files had disappeared.  The
> entire directory /dev/\ \ \  was gone.  I'm not sure if this is because
> I remounted it with nodev, nosuid and noexec (seems unlikely) or if this
> is explained by some mysterious hanging it used to engage in when shut
> down the "usual" way (ie, it was cleaning up after itself every time it
> shut down).
>
>
> That particular rootkit seems to have been saved (in original form) in
> /tmp as cashu.tgz, as near as I can tell, so I've re-compressed &
> attached that.  It set up compromised versions of ps, ls, netstat, lpd,
> ifconfig, find, top, lsof, slocate, dir, md5sump pstree, sshd, ftpd  and
> ipop3d, doing some clever stuff with checksums and what not (which makes
> me wonder if the gross ease of finding these files means there's another
> hidden part somewhere that I never did find).
>
> It created a fake library called /lib/lidps1.so and installed a
> subverted libproc.so as well.  It also created a user tty1, whose home
> directory contains another rootkit that points to a directory /dev/.id.
> The executables mentioned there seem to reappear in another directory
> /dev/.so
>
> All that is pretty clear.  However, there are still a few other
> suspicious files around, and if they're connected I haven't found the
> connection yet.  /etc/passwd had some more mysterious users added from
> somewhere - cgi, r00t, cisco and liloboot (the root userid was weirdly
> corrupted as well) - I've attached the suspicious parts of this file. In
> /usr/sbin there are a couple binaries which had been set immutable:
> pidof and xntp3.  Hooks for the latter had been added twice to the end
> of rc.sysinit, sandwiching the sshd hook.
>
> This server was sitting behind a firewall, and supposedly all ports were
> blocked except for http, which is routed to it via NAT.  Thus, unless
> our local ISP is lying (which is quite possible) I'm guessing it came by
> an Apache exploit.
>
> Can anyone ID it?  I've searched for the most obvious text strings
> already and not turned up anything which rang a bell.
>
> Files:
>
> http://www.creek-and-cowley.com/cashu.tar.bz2
> http://www.creek-and-cowley.com/suspicious_files.tar.bz2
>
> --
> Steve Bougerolle
> Creek & Cowley Consulting
>
> http://www.creek-and-cowley.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com