Erick Arturo Perez Huemer wrote: > > > Sirs, the attached ssh trojan was found on one of the systems > connected to our network. > MD5: 474b2cc161dd428de6226914ba48281f > > Details: > Machine:Linux Mandrake release 8.0 (Traktopel) for i586 > Primary use: Mail Server with remote admin via SSH. > Original SSH server was disabled: OpenSSH_2.5.2p2 > Trojan Listen on port 65298 TCP > Installed as /usr/sbin/mingetty > Banner: SSH-1.5-Dragos's Empire Inc. > Chkrootkit -r /usr/sbin detected nothing > Chkrootkit -r / detected nothing > Chkrootkit -r /usr/sbin/ mingetty detected nothing > > Lsof Output: > [root@mail temp]# lsof -p 23256 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > mingetty 23256 root cwd DIR 3,1 408 2 / > mingetty 23256 root rtd DIR 3,1 408 2 / > mingetty 23256 root txt REG 3,6 654387 6455 /usr/sbin/mingetty > mingetty 23256 root mem REG 3,1 420778 67 /lib/ld-2.2.2.so > mingetty 23256 root mem REG 3,1 78208 80 > /lib/libnsl-2.2.2.so > mingetty 23256 root mem REG 3,1 21812 74 > /lib/libcrypt-2.2.2.so > mingetty 23256 root mem REG 3,1 8284 102 > /lib/libutil-2.2.2.so > mingetty 23256 root mem REG 3,1 1216268 72 /lib/libc-2.2.2.so > mingetty 23256 root 0u CHR 1,3 62 /dev/null > mingetty 23256 root 1u CHR 1,3 62 /dev/null > mingetty 23256 root 2u CHR 1,3 62 /dev/null > mingetty 23256 root 3u CHR 5,1 4838 /dev/console > mingetty 23256 root 4u CHR 5,1 4838 /dev/console > mingetty 23256 root 5u CHR 5,1 4838 /dev/console > mingetty 23256 root 6u IPv4 122992 TCP *:65298 (LISTEN) > mingetty 23256 root 21w FIFO 0,0 16 pipe > [root@mail temp]# > > Any help will be appreciated to grab further info on this. > >PD. The executablwe is about 650 Kb so I cannot attach it to this >message. Even a .tar is about 200k, so anyone who wants to see it, email >me and i wil lsend it.. >Thanks, > > Erick A. Perez H. > > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > > > Don't know if this helps but it's a romanian rootkit, and the attacker is probably also romanian... For his IP address look for ssh configuration files... or simply do a nc -l [port of the ssh trojan]... You should check your ssh version (maybe it's vulnerable), also look for local vulnerabilities (it's slightly probable that this guy has some non-root accounts). Does this mail server have a httpd ? If so look for posible cgi backdoors maybe apache/open-ssl vulnerabilities... ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 17:10:49 PST