greetings community, first thx for all comments on my topic! As most ppl suggest, i installed a clean OpenBSD 3.1 with the same modifications as the hacked box. After that i´ve done a md5/diff on /bin /sbin /usr/bin /usr/sbin and /etc See the results: laboratory# diff org.bin.md5 hacked.bin.md5 Nothing changed. laboratory# diff org.sbin.md5 hacked.sbin.md5 Nothing changed. laboratory# diff hacked.usr_sbin.md5 org.usr_sbin.md5 52c52 < MD5 (sendmail) = 14003b72c1930d27d3dc2140abee57c1 --- > MD5 (sendmail) = c860ba9f317adedc6b5a31f416cc0253 that doesn´t look normal... laboratory# diff hacked.usr_bin.md5 org.usr_bin.md5 121c122 < MD5 (hoststat) = 14003b72c1930d27d3dc2140abee57c1 --- > MD5 (hoststat) = c860ba9f317adedc6b5a31f416cc0253 123,124c124,125 < MD5 (htdigest) = e1fb58fbd203761e24218c6859ab720b < MD5 (htpasswd) = e5d13570cf10a82a17829fa026f572b1 --- > MD5 (htdigest) = 05dc3c9981cafbeaae629cd951771fa0 > MD5 (htpasswd) = e9e1295b5fb7e811273e6b483cfa653a 173c174 < MD5 (mailq) = 14003b72c1930d27d3dc2140abee57c1 --- > MD5 (mailq) = c860ba9f317adedc6b5a31f416cc0253 194c195 < MD5 (newaliases) = 14003b72c1930d27d3dc2140abee57c1 --- > MD5 (newaliases) = c860ba9f317adedc6b5a31f416cc0253 237c238 < MD5 (purgestat) = 14003b72c1930d27d3dc2140abee57c1 --- > MD5 (purgestat) = c860ba9f317adedc6b5a31f416cc0253 280c281 < MD5 (slogin) = f8309f1329802e30c7e6badf3896cfa4 --- > MD5 (slogin) = 9862a890469ac61404368f546514f8bd I think 'slogin' is the most interessting, or? And what sense can it make to modify 'newaliases'? laboratory# diff hacked.etc.md5 org.etc.md5 3,4c3,4 < MD5 (afs) = fa7c92fa2f02235c0817abbfeb234d5e < MD5 (amd) = 6fb94cf970b930ebc631a066443a3611 --- > MD5 (afs) = d41d8cd98f00b204e9800998ecf8427e > MD5 (amd) = d41d8cd98f00b204e9800998ecf8427e 15c15 < MD5 (disklabels) = a0d014dedbbd3577582f274773e50e13 --- > MD5 (disklabels) = d41d8cd98f00b204e9800998ecf8427e 32c33 < MD5 (isakmpd) = 5a2f38c156ce43a609559267188ade4e --- > MD5 (isakmpd) = d41d8cd98f00b204e9800998ecf8427e 34,35c35,36 < MD5 (kerberosIV) = 068823fab8be82aa4a1e7481b1509539 < MD5 (kerberosV) = 126d5c3e93230fba29019c41d507ad12 --- > MD5 (kerberosIV) = d41d8cd98f00b204e9800998ecf8427e > MD5 (kerberosV) = d41d8cd98f00b204e9800998ecf8427e 43c43 < MD5 (mail) = 9af3877d5d53ca7818cd7ba3d2acb3ba --- > MD5 (mail) = d41d8cd98f00b204e9800998ecf8427e 50c50 < MD5 (motd) = 17a018fa675e25ce1feaa36709013387 --- > MD5 (motd) = 815e405c511be5a2251ed78250ff95c1 62c62 < MD5 (photuris) = 645773a40af157d3617197278b1e1c0b --- > MD5 (photuris) = d41d8cd98f00b204e9800998ecf8427e 64c64 < MD5 (ppp) = 4a033b4279c0a4fe94c6de549f947d53 --- > MD5 (ppp) = d41d8cd98f00b204e9800998ecf8427e 75,76c75,76 < MD5 (resolv.conf) = 5b65a710a3851fe4fd7b4b7dc1f1350f < MD5 (rmt) = f5188d3308f7472e732c1284611a0a7a --- > MD5 (resolv.conf) = 3f74584cfb9e655d661bb21828402533 > MD5 (rmt) = 85b608982cf9daf7943849a06ca426cd 81c81 < MD5 (skel) = e7fafa172cbe2e1a8a5e48a799e33595 --- > MD5 (skel) = d41d8cd98f00b204e9800998ecf8427e 83,86c83,86 < MD5 (sliphome) = 57a9b9e33c04356cac2dca1d67b12714 --- > MD5 (sliphome) = d41d8cd98f00b204e9800998ecf8427e 88,91c88,91 < MD5 (tcfs) = 9a42fbe8555a8778bf17d0c00688e1e4 < MD5 (termcap) = 7d61a145c235dcfba8168631c0d3a2bb --- > MD5 (tcfs) = d41d8cd98f00b204e9800998ecf8427e > MD5 (termcap) = ce2da96ded3fa67d5c6d3a3b8b7ef8eb I cutted some entrys (master.passwd, resolv.conf,mygate,...) which i know that they cannot be the same (other configs in it). I expected to find trojaned ps, netstat, etc. but nothing. Hmm maybe the attacker did _not_ use a rootkit (strange?) or he has used some exotic one. Is there anything else i could do to get more Information? Thanks for any help! btw, some ppl asked my via email if i plan to track this guy: no i will not track this guy down, i just want to learn as much as possible about this hack. It was my own fault, i did not patch it quick enough. regards Ingram -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:36:29 PDT