sauber was first seen in the wild with the new infamous t0rnkit, since then this log cleaner has been included with most if not all linux kits out there and some sun ones as well.. > Eugene Geldenhuys schrieb: > > Hi > > > > I am new to this list, so if this incident has been reported > > previously, I apologise for wasting your time. > > > > I was recently asked to check a misbehaving Redhat 6.2 system > > which seemed to have been cracked. > > On examination, I found that the following files had been replaced > > with trojan versions: > > ls, ps, syslogd, find, inetd, netstat, ifconfig, tcpd, uucp and login. > > The cracker also created a directory "^Madereet" in /dev in which I > > found the following: [root@mail ^Madereet]# ls - Ral total 52 drwxr-xr-x > > 5 root root 4096 Aug 16 2000 . drwxr-xr- x 7 root > > root 36864 Apr 12 05:41 .. drwxr-xr-x 2 root root > > 4096 Apr 17 04:11 .backup drwxr-xr-x 2 root root 4096 Aug > > 16 2000 bin drwxr-xr-x 2 root root 4096 Apr 17 04:15 > > other > > > > .backup: > > total 308 > > drwxr-xr-x 2 root root 4096 Apr 17 04:11 . > > drwxr-xr-x 5 root root 4096 Aug 16 2000 .. > > -rwxr-xr-x 1 root root 54544 Aug 16 2000 find > > -rwxr-xr-x 1 root root 42736 Aug 16 2000 ifconfig > > -rwxr-xr-x 1 root root 21552 Aug 16 2000 inetd > > -rw-r--r-- 1 root root 3070 Aug 16 2000 inetd.conf > > -rwxr-xr-x 1 root root 43024 Aug 16 2000 ls > > -rwxr-xr-x 1 root root 66736 Aug 16 2000 netstat > > -rwxr-xr-x 1 root root 26352 Aug 16 2000 syslogd > > -rwxr-xr-x 1 root root 23568 Aug 16 2000 tcpd > > > > bin: > > total 812 > > drwxr-xr-x 2 root root 4096 Aug 16 2000 . > > drwxr-xr-x 5 root root 4096 Aug 16 2000 .. > > -rwxr-xr-x 1 1088 1088 12563 Jul 6 2000 login > > -rwxr-xr-x 1 1088 1088 640413 Jul 6 2000 sshd > > -rwxr-xr-x 1 1088 1088 61070 Jul 6 2000 top > > -rwxr-xr-x 1 1088 1088 89700 Aug 12 2000 ttymon > > > > other: > > total 24 > > drwxr-xr-x 2 root root 4096 Apr 17 04:15 . > > drwxr-xr-x 5 root root 4096 Aug 16 2000 .. > > -rwxr-xr-x 1 1088 1088 1344 Jul 22 2000 sauber > > -rwxr-xr-x 1 1088 1088 7229 Jul 22 2000 sniff > > -rw-rw-r-- 1 root root 6 Apr 17 04:15 sniff.pid > > > > The "sauber" utility was quite interesting, it cleans the system > > logfiles giving the following output: > > > > * sauber by socked [07.27.97] > > * > [ Output shortened] > > * Alles sauber mein Meister !'Q%&@ > > sauber is a german word meaning clean and the last sentence of the > output would translate into something like "Everything clean my > master". > > It seems that whoever cracked ur box is of german origin > > hth > Daniel "fengor" Brachmann > -- > The opinions expressed in this mail are my own and not necessarily > those of my employer. > >
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:43:10 PDT