Madereet exploit

From: Eugene Geldenhuys (eugenegat_private)
Date: Tue Apr 17 2001 - 16:06:10 PDT

Previous message: Ryan Russell: "Re: Does anyone recognize this?"
Next in thread: Daniel Brachmann: "Re: Madereet exploit"
Reply: Daniel Brachmann: "Re: Madereet exploit"
Reply: Roberto: "Re: Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

*********************************************************

This email message has been scanned using Trend Anti-virus.  Please report any problems to supportat_private

*********************************************************


 Hi

 I am new to this list, so if this incident has been reported
 previously, I apologise for wasting your time.

 I was recently asked to check a misbehaving Redhat 6.2 system
 which seemed to have been cracked.
 On examination, I found that the following files had been replaced
 with trojan versions:
 ls, ps, syslogd, find, inetd, netstat, ifconfig, tcpd, uucp and login.
 The cracker also created a directory "^Madereet" in /dev in which I
 found the following: [root@mail ^Madereet]# ls -Ral total 52 drwxr-xr-x
  5 root     root         4096 Aug 16  2000 . drwxr-xr-x   7 root
 root        36864 Apr 12 05:41 .. drwxr-xr-x   2 root     root
 4096 Apr 17 04:11 .backup drwxr-xr-x   2 root     root         4096 Aug
 16  2000 bin drwxr-xr-x   2 root     root         4096 Apr 17 04:15
 other

 .backup:
 total 308
 drwxr-xr-x   2 root     root         4096 Apr 17 04:11 .
 drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
 -rwxr-xr-x   1 root     root        54544 Aug 16  2000 find
 -rwxr-xr-x   1 root     root        42736 Aug 16  2000 ifconfig
 -rwxr-xr-x   1 root     root        21552 Aug 16  2000 inetd
 -rw-r--r--   1 root     root         3070 Aug 16  2000 inetd.conf
 -rwxr-xr-x   1 root     root        43024 Aug 16  2000 ls
 -rwxr-xr-x   1 root     root        66736 Aug 16  2000 netstat
 -rwxr-xr-x   1 root     root        26352 Aug 16  2000 syslogd
 -rwxr-xr-x   1 root     root        23568 Aug 16  2000 tcpd

 bin:
 total 812
 drwxr-xr-x   2 root     root         4096 Aug 16  2000 .
 drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
 -rwxr-xr-x   1 1088     1088        12563 Jul  6  2000 login
 -rwxr-xr-x   1 1088     1088       640413 Jul  6  2000 sshd
 -rwxr-xr-x   1 1088     1088        61070 Jul  6  2000 top
 -rwxr-xr-x   1 1088     1088        89700 Aug 12  2000 ttymon

 other:
 total 24
 drwxr-xr-x   2 root     root         4096 Apr 17 04:15 .
 drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
 -rwxr-xr-x   1 1088     1088         1344 Jul 22  2000 sauber
 -rwxr-xr-x   1 1088     1088         7229 Jul 22  2000 sniff
 -rw-rw-r--   1 root     root            6 Apr 17 04:15 sniff.pid

 The "sauber" utility was quite interesting, it cleans the system
 logfiles giving the following output:

 * sauber by socked [07.27.97]
 *
 * Cleaning logs.. This may take a bit depending on the size of the
 logs.
 * Cleaning boot.log (52 lines)...0 lines removed!
 * Cleaning boot.log.1 (52 lines)...0 lines removed!
 * Cleaning boot.log.2 (52 lines)...0 lines removed!
 * Cleaning boot.log.3 (52 lines)...0 lines removed!
 * Cleaning boot.log.4 (52 lines)...0 lines removed!
 * Cleaning cron (63 lines)...0 lines removed!
 * Cleaning cron.1 (52 lines)...0 lines removed!
 * Cleaning cron.2 (52 lines)...0 lines removed!
 * Cleaning cron.3 (52 lines)...0 lines removed!
 * Cleaning cron.4 (52 lines)...0 lines removed!
 * Cleaning dmesg (52 lines)...0 lines removed!
 * Cleaning htmlaccess.log (52 lines)...0 lines removed!
 * Cleaning maillog (76 lines)...0 lines removed!
 * Cleaning maillog.1 (52 lines)...0 lines removed!
 * Cleaning maillog.2 (52 lines)...0 lines removed!
 * Cleaning maillog.3 (52 lines)...0 lines removed!
 * Cleaning maillog.4 (52 lines)...0 lines removed!
 * Cleaning messages (58 lines)...3 lines removed!
 * Cleaning messages.1 (52 lines)...0 lines removed!
 * Cleaning messages.2 (52 lines)...0 lines removed!
 * Cleaning messages.3 (52 lines)...0 lines removed!
 * Cleaning messages.4 (52 lines)...0 lines removed!
 * Cleaning netconf.log (52 lines)...0 lines removed!
 * Cleaning netconf.log.1 (52 lines)...0 lines removed!
 * Cleaning netconf.log.2 (52 lines)...0 lines removed!
 * Cleaning netconf.log.3 (52 lines)...0 lines removed!
 * Cleaning netconf.log.4 (52 lines)...0 lines removed!
 * Cleaning secure (61 lines)...1 lines removed!
 * Cleaning secure.1 (52 lines)...0 lines removed!
 * Cleaning secure.2 (52 lines)...0 lines removed!
 * Cleaning secure.3 (52 lines)...0 lines removed!
 * Cleaning secure.4 (52 lines)...0 lines removed!
 * Cleaning sendmail.st (52 lines)...0 lines removed!
 * Cleaning spooler (52 lines)...0 lines removed!
 * Cleaning spooler.1 (52 lines)...0 lines removed!
 * Cleaning spooler.2 (52 lines)...0 lines removed!
 * Cleaning spooler.3 (52 lines)...0 lines removed!
 * Cleaning spooler.4 (52 lines)...0 lines removed!
 * Cleaning xferlog (52 lines)...0 lines removed!
 * Cleaning xferlog.1 (52 lines)...0 lines removed!
 * Cleaning xferlog.2 (52 lines)...0 lines removed!
 * Cleaning xferlog.3 (52 lines)...0 lines removed!
 * Cleaning xferlog.4 (52 lines)...0 lines removed!
 * Alles sauber mein Meister !'Q%&@

 As far as I could see there were very few other changes -
 inetd.conf was altered to open most available services, but this
 could have been as a result of the vanilla RH6.2 install.

 I checked for evidence of the Adore worm - not found.

 Has anyone else found this exploit?


Best Regards
Eugene Geldenhuys
MCNE ECNE MCSE MCP

TFX SOLUTIONS -
PROFESSIONAL NETWORK DESIGN ,IMPLEMENTATION AND SUPPORT

Next message: Alfred Huger: "Carko"
Previous message: Ryan Russell: "Re: Does anyone recognize this?"
Next in thread: Daniel Brachmann: "Re: Madereet exploit"
Reply: Daniel Brachmann: "Re: Madereet exploit"
Reply: Roberto: "Re: Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 17:29:32 PDT