Re: need further help with break in

From: Stephen Samuel (samuelat_private)
Date: Thu Aug 01 2002 - 20:16:07 PDT

Next message: Knut Eckstein: "TCT / tctutils for HP-UX 11.00 + some insight into unrm'ing large files"

Previous message: M. Oosterink: "Re: Imaging a PCMCIA flash card?"
In reply to: Ingram: "RE: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Newaliases is modified as a side effect of modifying
sendmail (they are links to each other).  Note that
newaliases has the same signature as sendmail.
(and some of the other files ... I've included
and reordered the 'interesting' MD5 sigs).

Slogin was probably trojaned to capture outgoing
passwords / secret keys.  If anybody on your
system uses slogin (slogin is usually a symlink
to ssh, so I don't know why ssh didn't show up there).
then they'll need to replace all passwords/secret keys,
and check for intrusion on their remote systems.

This looks like it's a rootkit with a twist -- modifying
different files than a normal rootkit would attack --
possibly in hopes of avoiding detection that way.

Ingram wrote:
 > greetings community,
 >
 > first thx for all comments on my topic!
 >
 > As most ppl suggest, i installed a clean OpenBSD 3.1 with the same
 > modifications as the hacked box. After that i´ve done a md5/diff
 > on /bin /sbin /usr/bin /usr/sbin and /etc

 > < MD5 (sendmail) = 14003b72c1930d27d3dc2140abee57c1
 > < MD5 (hoststat) = 14003b72c1930d27d3dc2140abee57c1
 > < MD5 (mailq) =    14003b72c1930d27d3dc2140abee57c1
 > < MD5 (newaliases)=14003b72c1930d27d3dc2140abee57c1
 > < MD5 (purgestat)= 14003b72c1930d27d3dc2140abee57c1
 > < MD5 (htdigest) = e1fb58fbd203761e24218c6859ab720b
 > < MD5 (htpasswd) = e5d13570cf10a82a17829fa026f572b1
 > < MD5 (slogin) = f8309f1329802e30c7e6badf3896cfa4
 >>MD5 (slogin) = 9862a890469ac61404368f546514f8bd
....
 > I expected to find trojaned ps, netstat, etc. but nothing. Hmm maybe the
 > attacker did _not_ use a rootkit (strange?) or he has used some exotic
 > one.
 >
 > Is there anything else i could do to get more Information?

-- 
Stephen Samuel +1(604)876-0426                samuelat_private
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Knut Eckstein: "TCT / tctutils for HP-UX 11.00 + some insight into unrm'ing large files"
Previous message: M. Oosterink: "Re: Imaging a PCMCIA flash card?"
In reply to: Ingram: "RE: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 02 2002 - 04:20:51 PDT