Re: Madereet exploit

From: Roberto (cininiat_private)
Date: Wed Apr 18 2001 - 11:40:51 PDT

  • Next message: Jason Lewis: "Increase in Sun RPC Scans"

    sauber was first seen in the wild with the new 
    infamous t0rnkit, since then this log cleaner has been 
    included with most if not all linux kits out there and 
    some sun ones as well..
    
    
    > Eugene Geldenhuys schrieb:
    > >  Hi
    > >
    > >  I am new to this list, so if this incident has been 
    reported
    > >  previously, I apologise for wasting your time.
    > >
    > >  I was recently asked to check a misbehaving 
    Redhat 6.2 system
    > >  which seemed to have been cracked.
    > >  On examination, I found that the following files 
    had been replaced
    > >  with trojan versions:
    > >  ls, ps, syslogd, find, inetd, netstat, ifconfig, tcpd, 
    uucp and login.
    > >  The cracker also created a directory "^Madereet" 
    in /dev in which I
    > >  found the following: [root@mail ^Madereet]# ls -
    Ral total 52 drwxr-xr-x
    > >   5 root     root         4096 Aug 16  2000 . drwxr-xr-
    x   7 root
    > >  root        36864 Apr 12 05:41 .. drwxr-xr-x   2 
    root     root
    > >  4096 Apr 17 04:11 .backup drwxr-xr-x   2 root     
    root         4096 Aug
    > >  16  2000 bin drwxr-xr-x   2 root     root         4096 
    Apr 17 04:15
    > >  other
    > >
    > >  .backup:
    > >  total 308
    > >  drwxr-xr-x   2 root     root         4096 Apr 17 
    04:11 .
    > >  drwxr-xr-x   5 root     root         4096 Aug 16  
    2000 ..
    > >  -rwxr-xr-x   1 root     root        54544 Aug 16  
    2000 find
    > >  -rwxr-xr-x   1 root     root        42736 Aug 16  
    2000 ifconfig
    > >  -rwxr-xr-x   1 root     root        21552 Aug 16  
    2000 inetd
    > >  -rw-r--r--   1 root     root         3070 Aug 16  2000 
    inetd.conf
    > >  -rwxr-xr-x   1 root     root        43024 Aug 16  
    2000 ls
    > >  -rwxr-xr-x   1 root     root        66736 Aug 16  
    2000 netstat
    > >  -rwxr-xr-x   1 root     root        26352 Aug 16  
    2000 syslogd
    > >  -rwxr-xr-x   1 root     root        23568 Aug 16  
    2000 tcpd
    > >
    > >  bin:
    > >  total 812
    > >  drwxr-xr-x   2 root     root         4096 Aug 16  
    2000 .
    > >  drwxr-xr-x   5 root     root         4096 Aug 16  
    2000 ..
    > >  -rwxr-xr-x   1 1088     1088        12563 Jul  6  
    2000 login
    > >  -rwxr-xr-x   1 1088     1088       640413 Jul  6  
    2000 sshd
    > >  -rwxr-xr-x   1 1088     1088        61070 Jul  6  
    2000 top
    > >  -rwxr-xr-x   1 1088     1088        89700 Aug 12  
    2000 ttymon
    > >
    > >  other:
    > >  total 24
    > >  drwxr-xr-x   2 root     root         4096 Apr 17 
    04:15 .
    > >  drwxr-xr-x   5 root     root         4096 Aug 16  
    2000 ..
    > >  -rwxr-xr-x   1 1088     1088         1344 Jul 22  
    2000 sauber
    > >  -rwxr-xr-x   1 1088     1088         7229 Jul 22  
    2000 sniff
    > >  -rw-rw-r--   1 root     root            6 Apr 17 04:15 
    sniff.pid
    > >
    > >  The "sauber" utility was quite interesting, it 
    cleans the system
    > >  logfiles giving the following output:
    > >
    > >  * sauber by socked [07.27.97]
    > >  *
    > [ Output shortened]
    > >  * Alles sauber mein Meister !'Q%&@
    > 
    > sauber is a german word meaning clean and the 
    last sentence of the
    > output would translate into something 
    like "Everything clean my
    > master".
    > 
    > It seems that whoever cracked ur box is of german 
    origin
    > 
    > hth
    > Daniel "fengor" Brachmann
    > --
    > The opinions expressed in this mail are my own 
    and not necessarily
    > those of my employer.
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 20:43:10 PDT