Re: Possible break in

[Alexandros Kyriakides <alex1 () MIT EDU>]

I had ran strings on it too, and tried to find some of the strings on
Google, but no luck. I actually searched for some of the following:

Folosire:
%s <uivfp> [args]
u       - Uninstall
i       - Pid invizibil
v       - Pid vizibil
f [0/1] - Fisiere ascunse
p [0/1] - Piduri ascunse
Nu am reusit sa il dezinstalez (%d)
Nu am reusit sa ascund pidul %d (%d)
Nu am reusit sa arat pidul %d (%d)
Failed to change %s hiding (%d)!
Versiune: %s

But I didn't find anything useful. I guess I should have searched for some
of the other strings as well.


I'm reading up on the suckit rootkit now. I added a new hard disk on the
compromised host, and installed RH9 on it so that I can investigate the
files on the old compromised disk. Hopefully the logs will shed some light
on how the intruder got in.

Thank you very much for your help.

alex.



On Mon, 22 Mar 2004, ben wrote:

> Just ran strings against the two files.  dbproc looks like a version of
> the suckit rootkit, gnorp didn't look familar to me.  I'd check the
> timestamps on the two files and do a find on your system for files that
> have been written to your filesystem since that date.  then look closer
> at any said files, and logs generated durring that  time.
>
> -Ben
> On Mar 22, 2004, at 10:31 AM, Alexandros Kyriakides wrote:
>
> > I am wondering if anyone can give me some help with this incident. The
> > only related thing I found on-line was this:
> >
> > http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html
> >
> >
> >
> > The box I have is running linux mandrake 8.0. What I have found until
> > now
> > is the following:
> >
> >
> > 1) Two new binary files:
> >
> > /usr/bin/dbproc
> > /usr/bin/gnorp
> >
> >
> >
> > 2) Appended at the end of inittab and rc.local:
> >
> > inittab:
> > a:2345:once:/usr/bin/dbproc
> > a:2345:once:/bin/end
> >
> > rc.local:
> > #Starting gnorp
> > /usr/bin/gnorp
> > #The End
> > /bin/end
> >
> >
> > 3) lsattr gives:
> >
> > suS-iadAcj--- /etc/inittab
> > suS-iadAcj--- /etc/rc.local
> >
> >
> >
> >
> > Has anyone seen this before? I am also interested in finding out how
> > this
> > happened, if possible. Any help is greatly appreciated.
> >
> >
> > The two binary files can be found at:
> >
> > http://web.mit.edu/alex1/www/binaries/
> >
> >
> > -----------------------------------------------------------------------
> > ----
> > Free 30-day trial: firewall with virus/spam protection, URL filtering,
> > VPN,
> > wireless security
> >
> > Protect your network against hackers, viruses, spam and other risks
> > with Astaro
> > Security Linux, the comprehensive security solution that combines six
> > applications in one software solution for ease of use and lower total
> > cost of
> > ownership.
> >
> > Download your free trial at
> > http://www.securityfocus.com/sponsor/Astaro_incidents_040301
> > -----------------------------------------------------------------------
> > -----

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------