Re: SSH Trojan found on my system, request more info on identification

From: HalbaSus (halbasusat_private)
Date: Mon Oct 28 2002 - 10:37:22 PST

Next message: cert: "Remote Syslogd"

Previous message: Alec Kosky: "Re: SSH Trojan found on my system, request more info on identification"
In reply to: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erick Arturo Perez Huemer wrote:

> 
> 
> Sirs, the attached ssh trojan was found on one of the systems 
> connected to our network.
> MD5: 474b2cc161dd428de6226914ba48281f
> 
> Details:
> Machine:Linux Mandrake release 8.0 (Traktopel) for i586
> Primary use: Mail Server with remote admin via SSH.
> Original SSH server was disabled:  OpenSSH_2.5.2p2
> Trojan Listen on port 65298 TCP
> Installed as /usr/sbin/mingetty
> Banner: SSH-1.5-Dragos's Empire Inc.
> Chkrootkit -r /usr/sbin detected nothing
> Chkrootkit -r / detected nothing
> Chkrootkit -r /usr/sbin/ mingetty detected nothing
> 
> Lsof Output:
> [root@mail temp]# lsof -p 23256
> COMMAND    PID USER   FD   TYPE DEVICE    SIZE NODE NAME
> mingetty 23256 root  cwd    DIR    3,1     408    2 /
> mingetty 23256 root  rtd    DIR    3,1     408    2 /
> mingetty 23256 root  txt    REG    3,6  654387 6455 /usr/sbin/mingetty
> mingetty 23256 root  mem    REG    3,1  420778   67 /lib/ld-2.2.2.so
> mingetty 23256 root  mem    REG    3,1   78208   80 
> /lib/libnsl-2.2.2.so
> mingetty 23256 root  mem    REG    3,1   21812   74 
> /lib/libcrypt-2.2.2.so
> mingetty 23256 root  mem    REG    3,1    8284  102 
> /lib/libutil-2.2.2.so
> mingetty 23256 root  mem    REG    3,1 1216268   72 /lib/libc-2.2.2.so
> mingetty 23256 root    0u   CHR    1,3           62 /dev/null
> mingetty 23256 root    1u   CHR    1,3           62 /dev/null
> mingetty 23256 root    2u   CHR    1,3           62 /dev/null
> mingetty 23256 root    3u   CHR    5,1         4838 /dev/console
> mingetty 23256 root    4u   CHR    5,1         4838 /dev/console
> mingetty 23256 root    5u   CHR    5,1         4838 /dev/console
> mingetty 23256 root    6u  IPv4 122992          TCP *:65298 (LISTEN)
> mingetty 23256 root   21w  FIFO    0,0           16 pipe
> [root@mail temp]#
> 
> Any help will be appreciated to grab further info on this.
>
>PD. The executablwe is about 650 Kb so I cannot attach it to this
>message. Even a .tar is about 200k, so anyone who wants to see it, email
>me and i wil lsend it..
>Thanks,
> 
> Erick A. Perez H.
> 
>
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>
>  
>
Don't know if this helps but it's a romanian rootkit, and the attacker 
is probably also romanian... For his IP address look for ssh 
configuration files... or simply do a nc -l [port of the ssh trojan]... 
You should check your ssh version (maybe it's vulnerable),  also look 
for local vulnerabilities (it's slightly probable that this guy has some 
non-root accounts). Does this mail server have a httpd ? If so look for 
posible cgi backdoors maybe apache/open-ssl vulnerabilities...



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: cert: "Remote Syslogd"
Previous message: Alec Kosky: "Re: SSH Trojan found on my system, request more info on identification"
In reply to: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 17:10:49 PST