Re: Madereet exploit

From: Roberto (cininiat_private)
Date: Wed Apr 18 2001 - 11:40:51 PDT

Next message: Jason Lewis: "Increase in Sun RPC Scans"

Previous message: Russell Fulton: "Re: non-routable Scan?"
Maybe in reply to: Eugene Geldenhuys: "Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sauber was first seen in the wild with the new 
infamous t0rnkit, since then this log cleaner has been 
included with most if not all linux kits out there and 
some sun ones as well..


> Eugene Geldenhuys schrieb:
> >  Hi
> >
> >  I am new to this list, so if this incident has been 
reported
> >  previously, I apologise for wasting your time.
> >
> >  I was recently asked to check a misbehaving 
Redhat 6.2 system
> >  which seemed to have been cracked.
> >  On examination, I found that the following files 
had been replaced
> >  with trojan versions:
> >  ls, ps, syslogd, find, inetd, netstat, ifconfig, tcpd, 
uucp and login.
> >  The cracker also created a directory "^Madereet" 
in /dev in which I
> >  found the following: [root@mail ^Madereet]# ls -
Ral total 52 drwxr-xr-x
> >   5 root     root         4096 Aug 16  2000 . drwxr-xr-
x   7 root
> >  root        36864 Apr 12 05:41 .. drwxr-xr-x   2 
root     root
> >  4096 Apr 17 04:11 .backup drwxr-xr-x   2 root     
root         4096 Aug
> >  16  2000 bin drwxr-xr-x   2 root     root         4096 
Apr 17 04:15
> >  other
> >
> >  .backup:
> >  total 308
> >  drwxr-xr-x   2 root     root         4096 Apr 17 
04:11 .
> >  drwxr-xr-x   5 root     root         4096 Aug 16  
2000 ..
> >  -rwxr-xr-x   1 root     root        54544 Aug 16  
2000 find
> >  -rwxr-xr-x   1 root     root        42736 Aug 16  
2000 ifconfig
> >  -rwxr-xr-x   1 root     root        21552 Aug 16  
2000 inetd
> >  -rw-r--r--   1 root     root         3070 Aug 16  2000 
inetd.conf
> >  -rwxr-xr-x   1 root     root        43024 Aug 16  
2000 ls
> >  -rwxr-xr-x   1 root     root        66736 Aug 16  
2000 netstat
> >  -rwxr-xr-x   1 root     root        26352 Aug 16  
2000 syslogd
> >  -rwxr-xr-x   1 root     root        23568 Aug 16  
2000 tcpd
> >
> >  bin:
> >  total 812
> >  drwxr-xr-x   2 root     root         4096 Aug 16  
2000 .
> >  drwxr-xr-x   5 root     root         4096 Aug 16  
2000 ..
> >  -rwxr-xr-x   1 1088     1088        12563 Jul  6  
2000 login
> >  -rwxr-xr-x   1 1088     1088       640413 Jul  6  
2000 sshd
> >  -rwxr-xr-x   1 1088     1088        61070 Jul  6  
2000 top
> >  -rwxr-xr-x   1 1088     1088        89700 Aug 12  
2000 ttymon
> >
> >  other:
> >  total 24
> >  drwxr-xr-x   2 root     root         4096 Apr 17 
04:15 .
> >  drwxr-xr-x   5 root     root         4096 Aug 16  
2000 ..
> >  -rwxr-xr-x   1 1088     1088         1344 Jul 22  
2000 sauber
> >  -rwxr-xr-x   1 1088     1088         7229 Jul 22  
2000 sniff
> >  -rw-rw-r--   1 root     root            6 Apr 17 04:15 
sniff.pid
> >
> >  The "sauber" utility was quite interesting, it 
cleans the system
> >  logfiles giving the following output:
> >
> >  * sauber by socked [07.27.97]
> >  *
> [ Output shortened]
> >  * Alles sauber mein Meister !'Q%&@
> 
> sauber is a german word meaning clean and the 
last sentence of the
> output would translate into something 
like "Everything clean my
> master".
> 
> It seems that whoever cracked ur box is of german 
origin
> 
> hth
> Daniel "fengor" Brachmann
> --
> The opinions expressed in this mail are my own 
and not necessarily
> those of my employer.
> 
>

Next message: Jason Lewis: "Increase in Sun RPC Scans"
Previous message: Russell Fulton: "Re: non-routable Scan?"
Maybe in reply to: Eugene Geldenhuys: "Madereet exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:43:10 PDT