On Tue, 2 Feb 1999, John "E.R." Jasen wrote: > I immediately logged into the offending machine, and investigated what > evidence the cracker had left behind. The first thing discovered was > trojan'ed copies of rshd, telnetd, and ftpd, in a supposedly hidden ... > directory. Much to my annoyance, I also found out that /usr/bin/ls was > trojan'ed, at least not to list ... and '. ' files. Switching to > /usr/ucb/ls, which the cracker missed, a rootkit trojan script was > discovered, which replaced several executables in /usr/bin and /usr/sbin. > I believe that the network services were manually trojan'ed. > > The logs looked 'too clean', causing me to suspect that they had been > sanitised in some fashion. > > As an offhand guess, we think that ftpd was compromised, in early January, > but lack concrete evidence. > > My general opinion is that we most likely were dealing with what a friend > of mine calls a 'script kiddie.' However, he did a few things that struck > me as somewhat abnormal for a standard kiddie [namely the apparent manual > replacement of the rshd, et al], and I felt it prudent to continue to the > next step: the machine was sentenced to death -- unplugged from the > network, backed up, formatted and reinstalled. While we were at it, we Unfortunately rootkits have progressed to the point were they can be installed with makefiles, and other assorted scripts, and are very easily to attain. This brings serious problems to administration, as this now allows `script-kiddiez', eg) individuals with a low level of intelligence that are generally out to own irc atop your corporations T1, to easily modify the underlying operating system to their benefit. This can add to the time it takes for them to be detected, and in some cases allow them to penetrate other machines on your network. Failed rootkit installations can also render the system useless. There are a few things that can make it more difficult for an attacker to trojan services/binaries on your system, and alert you when they do: 1) Use the chflags/chattr command. Most of the time, sadly, the people using these rootkits are not aware of file flags. 2) Use software such as tripwire, or some other cryptographic file scanner. 3) Operating systems such as FreeBSD/OpenBSD come setup with scripts run daily to detect file changes in setuid binaries, as well as others that may be specified. 4) Dont only check for changes in binaries, often service configuration files are modified. 5) Stopping rootkit installation is neccesary, discouraging attackers, often making them use less hidden points of access, revealing themselves. -------- -------------------------- --- ecx / ecxat_private ---------;
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:37 PDT