Re: Madereet exploit

From: Daniel Brachmann (9dat_private)
Date: Wed Apr 18 2001 - 01:31:36 PDT

Next message: Daniel Martin: "Re: Does anyone recognize this?"

Previous message: Ryan Russell: "Re: Does anyone recognize this?"
In reply to: Eugene Geldenhuys: "Madereet exploit"
Next in thread: Daniel Martin: "Re: Madereet exploit"
Reply: Daniel Martin: "Re: Madereet exploit"
Reply: Martin Markgraf: "Re: Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eugene Geldenhuys schrieb:
>  Hi
>
>  I am new to this list, so if this incident has been reported
>  previously, I apologise for wasting your time.
>
>  I was recently asked to check a misbehaving Redhat 6.2 system
>  which seemed to have been cracked.
>  On examination, I found that the following files had been replaced
>  with trojan versions:
>  ls, ps, syslogd, find, inetd, netstat, ifconfig, tcpd, uucp and login.
>  The cracker also created a directory "^Madereet" in /dev in which I
>  found the following: [root@mail ^Madereet]# ls -Ral total 52 drwxr-xr-x
>   5 root     root         4096 Aug 16  2000 . drwxr-xr-x   7 root
>  root        36864 Apr 12 05:41 .. drwxr-xr-x   2 root     root
>  4096 Apr 17 04:11 .backup drwxr-xr-x   2 root     root         4096 Aug
>  16  2000 bin drwxr-xr-x   2 root     root         4096 Apr 17 04:15
>  other
>
>  .backup:
>  total 308
>  drwxr-xr-x   2 root     root         4096 Apr 17 04:11 .
>  drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
>  -rwxr-xr-x   1 root     root        54544 Aug 16  2000 find
>  -rwxr-xr-x   1 root     root        42736 Aug 16  2000 ifconfig
>  -rwxr-xr-x   1 root     root        21552 Aug 16  2000 inetd
>  -rw-r--r--   1 root     root         3070 Aug 16  2000 inetd.conf
>  -rwxr-xr-x   1 root     root        43024 Aug 16  2000 ls
>  -rwxr-xr-x   1 root     root        66736 Aug 16  2000 netstat
>  -rwxr-xr-x   1 root     root        26352 Aug 16  2000 syslogd
>  -rwxr-xr-x   1 root     root        23568 Aug 16  2000 tcpd
>
>  bin:
>  total 812
>  drwxr-xr-x   2 root     root         4096 Aug 16  2000 .
>  drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
>  -rwxr-xr-x   1 1088     1088        12563 Jul  6  2000 login
>  -rwxr-xr-x   1 1088     1088       640413 Jul  6  2000 sshd
>  -rwxr-xr-x   1 1088     1088        61070 Jul  6  2000 top
>  -rwxr-xr-x   1 1088     1088        89700 Aug 12  2000 ttymon
>
>  other:
>  total 24
>  drwxr-xr-x   2 root     root         4096 Apr 17 04:15 .
>  drwxr-xr-x   5 root     root         4096 Aug 16  2000 ..
>  -rwxr-xr-x   1 1088     1088         1344 Jul 22  2000 sauber
>  -rwxr-xr-x   1 1088     1088         7229 Jul 22  2000 sniff
>  -rw-rw-r--   1 root     root            6 Apr 17 04:15 sniff.pid
>
>  The "sauber" utility was quite interesting, it cleans the system
>  logfiles giving the following output:
>
>  * sauber by socked [07.27.97]
>  *
[ Output shortened]
>  * Alles sauber mein Meister !'Q%&@

sauber is a german word meaning clean and the last sentence of the
output would translate into something like "Everything clean my
master".

It seems that whoever cracked ur box is of german origin

hth
Daniel "fengor" Brachmann
--
The opinions expressed in this mail are my own and not necessarily
those of my employer.

Next message: Daniel Martin: "Re: Does anyone recognize this?"
Previous message: Ryan Russell: "Re: Does anyone recognize this?"
In reply to: Eugene Geldenhuys: "Madereet exploit"
Next in thread: Daniel Martin: "Re: Madereet exploit"
Reply: Daniel Martin: "Re: Madereet exploit"
Reply: Martin Markgraf: "Re: Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 07:09:31 PDT