Re: another rootkit - one more file (fwd)

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Mon Jun 04 2001 - 13:30:17 PDT

  • Next message: root: "Re: another rootkit - one more file (fwd)"

    HI Michal
    
    thanx for posting your detailed comments...
    
    i don't recall if i posted a reply to you or to the list or not..
    
    - am adding that this rootkit worked on my "patched" slackware-7.0 system
    	- i think the exploited the wu-ftpd-2.6.0 bugs ??/
    	( since i have ftp logins from  200.248.162.140 around June 01
    	( 04:40am and been playign for a few hours as seen on the time
    	( stamps on the rootkit directories
    
    	- ie... the slackware-7.0 patches is NOT sufficient to fix the
    	exploits... ( either wu-ftpd or bind-8.2.2 which i patched again  
    	after the attack... i am hoping they come back and "test it"
    	again..
    
    thanx michal and others that have sent info/comments
    
    the maniac-rk (?) tarball is at
    	http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/
    	- look for hacker_Jun.01.*
    
    thanx
    alvin
    
    On Mon, 4 Jun 2001, Michal Zalewski wrote:
    
    > 
    > Alvin told me it might be good to forward it to INCIDENTS. There are my
    > comments on the binaries of this rootkit I got from him - you might want
    > to check if you have one already ;-):
    > 
    > - The rootkit itself is called 'ManiaC r00tkit' (how pathetic). We
    >   were not able to find it anywhere on the net (searching for filenames
    >   and such), so I presume it is pretty new,
    > 
    > - It consists of a sniffer, few trivial backdoors, DoS tools, bnc
    >   IRC bouncer, setuid shell and so on. It uses Ava/Adore kernel module to
    >   hide itself, and replaces few binaries, modifies one rc script - it
    >   is not too advanced,
    > 
    > - Rootkit installation script:
    > 
    >   echo "Copiando os arquivos necess.rios."
    > 
    >   This sounds like Portuguese or so, which probably tells us about
    >   its origins.
    > 
    > - It removes few patterns from logfiles. That would be: 200.195.86.*,
    >   200.248.162.*, 200.195.121.*, 200.243.17.*, netdados.com.br,
    >   usinet.com.br - I presume these are networks attacker used for
    >   defacements (how smart to put them in the script in this form!),
    > 
    > - It sends information about machine to tuiqoitu039t09q3at_private,
    >   bnadfjg9023at_private, t391u9t0qit@end-war.com, mki62969oat_private
    >   One of these mailboxes is still working (bigfoot.com, others are
    >   provided as a decay or so),
    > 
    > - pt07 and mailrc binaries are backdoors. Listening on 56789/tcp, with
    >   password "include.h", it hides under the name of "klogd":
    > 
    >   Trying 0.0.0.0...
    >   Connected to 0.
    >   Escape character is '^]'.
    >   include.h
    > 
    >   Bem Vindo MaNiAc 31337 a sua makina!
    >   Voce Tem o controle! =)
    > 
    >   bash: no job control in this shell
    >   bash-2.01#
    > 
    >   Once again, I haven't seen any mention of this backdoor port anywhere.
    > 
    > Hope that helps,
    > -- 
    > _____________________________________________________
    > Michal Zalewski [lcamtufat_private] [security]
    > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
    > =-=> Did you know that clones never use mirrors? <=-=
    > 
    > 
    > 
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 09:17:02 PDT