('binary' encoding is not supported, stored as-is) In-Reply-To: <001501c24827$5301b360$0100a8c0@danz> Hello Dan, I think the rootkit is renamed or so old that i never heard something about it. A "good" cracker do some changings to the rootkits he uses. So you do not know what to to to get rid of it . But i thing this rootkit have to be a very old or stupid one if it kills "ps" and hurts "netstat". You might never found it if this do not happened. *lol* To the exploit: Might be this... http://packetstormsecurity.nl/UNIX/penetration/rootkits/wu-ftpd-2.6.2-backdoored.gz If you do not need it you should not use FTP anymore... Good luck Will Tell >From: "Dan Fry" <Danat_private> >To: <forensicsat_private> >Subject: Red Hat Box.. >Date: Tue, 20 Aug 2002 09:55:12 +0100 >MIME-Version: 1.0 >Content-Type: text/plain; > charset="iso-8859-1" >Content-Transfer-Encoding: 7bit >X-Priority: 3 >X-MSMail-Priority: Normal >X-Mailer: Microsoft Outlook Express 5.50.4522.1200 >X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 > >Hi, >A Few Nights ago, i noticed that there was some errors on my Red Hat box, i >am a newbie at Linux, so these errors just confused me, the "ps" command had >dissapeard from the system, and "netstat" was present, but never worked, i >inititally assumed it was the application paths, but i was wrong. >i ran the chkrootkit program/scripts and it detected several "infected >programs" > >Checking `top'... INFECTED >Checking `ps'... INFECTED >Checking `netstat'... INFECTED >Checking `ifconfig'... INFECTED >Checking `hdparm'... INFECTED > >omg! i been hacked.. argh! > >after a bit of investigation, >i found a packetsniffer on the compter and a log cleaner. >here is how... (and the lists of files etc) > >[root@Rah dan]# find / -name ".*" -print -xdev | cat -v >/dev/ida/.sys >/dev/ida/.inet > >^^ hidden directories.. lets check them out.. :o) > > >[root@Rah dan]# cd /dev/ida/.sys >[root@Rah .sys]# ls -la >total 36 >drwxr-xr-x 2 root root 1024 Aug 17 22:20 . >drwxr-xr-x 4 root root 32768 Aug 17 22:20 .. >-rwxr-xr-x 1 root root 1345 Sep 9 1999 cleaner > >[root@Rah .sys]# ./cleaner >* sauber by socked [07.27.97] >* Usage: cleaner <string> > >[root@Rah .sys]# > >and the other dir...? > >[root@Rah .sys]# cd /dev/ida/.inet >[root@Rah .inet]# ls -la >total 255 >drwxr-xr-x 2 root root 1024 Aug 17 22:20 . >drwxr-xr-x 4 root root 32768 Aug 17 22:20 .. >-rwx------ 1 root root 7165 Sep 26 1983 linsniffer >-rwx------ 1 root root 75 Sep 26 1983 logclear >-rw-r--r-- 1 root root 6 Aug 17 22:20 pid >-rw-r--r-- 1 root root 705 Jul 29 18:13 s >-rwxr-xr-x 1 root root 4060 Sep 26 1983 sense >-rwx------ 1 root root 208488 Jul 29 18:25 sshdu >-rw------- 1 root root 541 Sep 26 1983 ssh_host_key >-rw------- 1 root root 512 Aug 17 22:20 ssh_random_seed >-rw-r--r-- 1 root root 0 Aug 17 22:20 tcp.log >[root@Rah .inet]# > >packet sniffer in here and another log cleaner.. >the tcp.log was empty, they didnt seem to have time to execute the sniffer. > >i have got the login times on FTPd and IP's (but it seems that the host that >"hacked" me, has been "hacked" itself, should i notify the administrators?) >that match what the user was doing, but they haven't left any bash_historys >or anything, i would like to know what they executed if possible, and what >exploit they used, i am 99% sure they came in thu FTP, but it doesn't seem >to have been buffer overflow'd or anything, i am running wu-2.6.1-18 > >on the remote site they attackd me from, it seems they was trying to >download "kfn.tar.gz" i cant find a reference to this "rootkit" anywhere, >has anyone heard of it? >even if no one can awnser my questions, or point me in the right direction, >just thought it would be good to show people the steps me (the newbie) took >to find out the attacker's motives etc. >it seems the attacker go cut from my computer, as it was on a dialup with a >2hour cut off, lol.. so they was out of luck. >any info or help would be appericated. (like what to do when a computer is >compramised etc) > > >- Dan. >Aug 17 22:21:10 Rah syslogd 1.4.1: restart. :( > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 08:28:24 PDT