-----BEGIN PGP SIGNED MESSAGE----- On Tue, 12 Jun 2001, Kip Perkins wrote: > Good morning all. I was wonder if I could get some help on a possible > intrusion analysis. Recently I discovered some interesting things on a > RH Linux 6.2 box. Congratulations. You've been compromised. Take the box off the 'net. If you've got a strong sense of curiosity, pick up a copy of The Coroner's Toolkit (TCT) at http://www.porcupine.org/forensics/tct.html and TCTUTILS (http://www.cerias.purdue.edu/homes/carrier/forensics/) and have fun. If you just want to cut to the chase, back up your important data (no binaries or executables), format your drive, reload the current iteration of your OS (or get Immunix -- http://www.immunix.org/), apply all patches, restore your data, and hop back on the 'net. Until such steps are taken, you're just courting further misery. Now to answer what's what: > in /dev: > /dev/.w > /dev/.c > /dev/.cmd Can't tell from the filenames, but I'd wager these are shells, given that they're used as such by the new accounts on your box. > in /etc/inetd.conf: > 6968 stream tcp nowait root /bin/sh sh -i Interactive shell, bound as root. Typical. > 2121 stream tcp nowait root /usr/sbin/tcpd in/telnetd Dollars to donuts says your tcp wrappers have been trojaned. This one was probably added in case you found the sh -i. > in /etc/passwd: > cmd:x:0:500::/dev/.cmd:/dev/null > command:x:500:501::/dev/.c:/dev/null > wizards:x:501:502::/dev/.w:/dev/null The cmd account is root. The command and wizards account are probably in place in case 'cmd' is found. It's likely that /dev/.c and /dev/.w are suid shells, then. > This is all I can find that is wierd (translate- "I don't recognize"). > Dones anyone recognize these entries? Is this a possible rootkit? I don't recognize it right offhand, but the intruder wasn't very clever in masking her/his presence, so it's likely the product of a rootkit. Happy salvaging. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) | = |-' `--' `--' `--- Every day's a Friday when you have a gun. ---' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBOyblidCClfiU/BIVAQHUXQQAj/XTiJadjISZndvuMXmxUMr38ZvbUUVr SggbmddlPNcYgP1iACocBwPFvTmUFaYAeuMaWfEuDOUnXO922trJj7o632JQ9NiZ PWq13cH37RyC2LPmn1sGeHpIgWgJ+lKOS+YvlEy4OoAiIj33t2lh5w2Al8M3t8Xz BgWFZvPIP98= =oitg -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 23:37:59 PDT