Re: Exodus: this is bad

["Alex P. Rudnev" <alex () Relcom EU net>]

And one more thing. I am not Linux specialist, but I see a resious 
problem because this compromised servers are usially troyaned by the 
'Linux Root Kit' hidding all hacker's activity. If anyone have some tools 
to detect this rootkit (it include more than 200 files changed in the 
system), point it, please - all my attempts to contact RedHat and other 
Linux developers caused nothing.

The excellent (-:)) set of exploits and troyans is stored at 
ftp://ftp.technotronic.com/ (this is the place where russion hackers have 
got this toolkits first from), but I saw some self-changed toolkits from 
other places.

The only advice I can provide. First, compare MD5 checksums if you can. 
If you can not, make

 find /dev -type f -print

and

 ls -ld /dev

and, if you see some FILES like 'ptyp' or 'fmpd1' or directory ..., it's 
no doubt the traces of the hacker (if not, this means NOTHING - anyone 
can use another configuration).

I did not saw real usages of this mountd exploits, but they does exist. 
What I have seen was -
 imapd, qpopper exploits to get root access withouth user account;
 lprm, ufsrestore (not in linux), X11 exploits to get root access from 
the user's account.

But... if you have not this exploits, this means nothing.  


On Tue, 17 Nov 1998, Michael Freeman wrote:

> Date: Tue, 17 Nov 1998 12:26:42 +0000 (Local time zone must be set--see zic manual page)
> From: Michael Freeman <mikef () boris talentsoft com>
> To: "William S. Duncanson" <caesar () starkreality com>
> Cc: Adam Rothschild <asr () millburn net>,
>     "Edward S. Marshall" <emarshal () logic net>,
>     Richard Irving <rirving () onecall net>, nanog () merit edu
> Subject: Re: Exodus: this is bad
>
> You guys might be overlooking a very major security hole with linux,
> besides bind. Rpc.Mountd. If you haven't patched yet, do so now, because
> exploits have been publically available for a while now and this is a
> remote attack that will compromise root. The easiest thing to do if you
> don't have time to sit and upgrade every linux box on your network with
> the latest rpc.mountd, or kill it off, or whatever you plan on doing,
> might be to just go on your router and put up an access-list denying all
> inbound connections on port 111 (the rpc portmapper). Even though its
> pretty trivial to guess what port rpc.mountd is on (2049) instead of using
> the portmapper, the exploits aren't configured to do so (at least not ot
> my knowledge). And if you're still worried you could firewall both 111 and
> 2049. Well good luck. 8)
>
> On Mon, 16 Nov 1998, William S. Duncanson wrote:
>
> > I think he meant the compromised hosts, or the hosts that the attacks were
> > coming from, were all RH 5.1 with an old rev of BIND.  My 3.0-current box
> > with 8.1.2 handled it fine, as well.
> >
> > At 22:30 11/16/98 -0500, Adam Rothschild wrote:
> > > On Mon, 16 Nov 1998, Edward S. Marshall wrote:
> > >
> > > > The attacked hosts have all exhibited the same characteristics: stock Red
> > > > Hat 5.1 install, running (probably) the stock named that came with it,
> > >
> > > Not entirely true.  I watched a FreeBSD 2.2.x/BIND 8.1.2 box get tickled
> > > harmlessy...
> > >
> > > Go to bed, porscanning twit kiddies.  It's late now, and Teletubbies ain't
> > > on. 8-)
> >
> >
> > William S. Duncanson                      caesar () starkreality com
> > The driving force behind the NC is the belief that the companies who brought us
> > things like Unix, relational databases, and Windows can make an appliance that
> > is inexpensive and easy to use if they choose to do that.  -- Scott Adams 

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)