CRIME Multiple breakins, but can't figure out how

• Previous message: George Heuston: "CRIME FW: Cyber Advisory from our NY Partners"
• Next in thread: Jeff Bryner: "RE: CRIME Multiple breakins, but can't figure out how"
• Reply: Jeff Bryner: "RE: CRIME Multiple breakins, but can't figure out how"
• Reply: Crispin Cowan: "Re: CRIME Multiple breakins, but can't figure out how"
• Reply: Alan: "Re: CRIME Multiple breakins, but can't figure out how"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have had multiple breakins somehow using different versions of RedHat
(7.1,7.3,&8.0).  This started last week on the 7.1 and 7.3 boxes.  I
have been keeping up on all the latest patches for Apache, Sendmail,
SSH, MySQL.  So, I noticed the breakins and noticed a directory called
/dev/rd/cdb.  In this directory there is a run.tgz and it is expanded in
to a directory.  This is the contents:

 rwx------    1 1007     users      449008 Nov 18 13:20  kupdated
-rwx------    1 1007     users         942 Jan 19  2000 checkmech
-rwx------    1 1007     users       20313 Feb 12  2000 configure
-rw-------    1 1007     users       17982 Jan 19  2000 COPYING
-rw-r--r--    1 1007     users          87 Nov 12 21:39 emech.users
-rw-------    1 1007     users        2147 Feb 12  2000 Makefile
-rw-------    1 1007     users       22935 Feb 16  2000 mech.help
-rw-r--r--    1 1007     users        1011 Nov 18 14:00 mech.levels
-rw-------    1 root     root       144456 Nov 18 13:23 mech.pid
-rw-r--r--    1 root     root          416 Nov 18 14:00 mech.session
-rw-r--r--    1 1007     users        4202 Nov 12 21:39 mech.set
drwx------    2 1007     users        4096 Feb 16  2000 randfiles
-rw-------    1 1007     users        2300 Jun  4  2000 README
-rwx------    1 1007     users      455957 Nov 18 14:03 send
drwx------    2 1007     users        4096 Feb 23  2003 src
-rw-------    1 1007     users        2007 Feb  5  2000 TODO
-rw-------    1 1007     users       25043 Jun  4  2000 VERSIONS

The README files starts off like this:

+--+-------------------------------+--+
|**|  StarGlider Class EnergyMech  |**|
+--+-------------------------------+--+

Compiling?
~~~~~~~~~~
To compile the source:

1) Uncompress the source code distribution archive.

2) cd emech-2.7.6.1
-- Since you are reading this file, you have most likely already
   come to this point.

3) ./configure
-- This script will prompt you for features to include or exclude,
   going with the default isnt a bad idea.

4) make clean install

If all went well you should now have an executable called ``mech''.

<end of snippet>

Running a trusted version of netstat (netstat -nap) and notice kupdated
is talking to another server on port 6667. It looked something like
this:

tcp 0 0 compromised server:35501 other_server:6667  TIME_WAIT [kupdated]

So, I have reinstalled all operating systems to Redhat 8.0, made sure
there are no bogus entries in the /etc/passwd file, and updated to all
the latest greatest versions of everything out there
(Apache,MySQL,Sendmail,openssl,mod_ssl, and openSSH). The problem is
after all of this reinstalling and making sure everything is clean, I am
right back at square today.  The same problems and the same issues.  Has
anyone out there heard of this or is anyone else out there experiencing
similar problems?  

Any advice would be greatly appreciated.

Thanks, 
A.J.

• Next message: Quinby, Kris (MED): "CRIME Span time from vulnerability to patch for HTTPD servers"
• Previous message: George Heuston: "CRIME FW: Cyber Advisory from our NY Partners"
• Next in thread: Jeff Bryner: "RE: CRIME Multiple breakins, but can't figure out how"
• Reply: Jeff Bryner: "RE: CRIME Multiple breakins, but can't figure out how"
• Reply: Crispin Cowan: "Re: CRIME Multiple breakins, but can't figure out how"
• Reply: Alan: "Re: CRIME Multiple breakins, but can't figure out how"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 18 2003 - 13:10:39 PST