New maniac rootkit

From: Andrew Heath (ah228at_private)
Date: Wed Jun 20 2001 - 06:04:26 PDT

Next message: Mark Andrich: "Overwhelmed........"

Previous message: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Next in thread: Denis Ducamp: "Re: New maniac rootkit"
Reply: Denis Ducamp: "Re: New maniac rootkit"
Reply: Chris Huseman: "RE: New maniac rootkit"
Reply: Chris Ess: "Re: New maniac rootkit"
Reply: Daniel Martin: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We were hit with the maniac rootkit last week, however, this version
differs from the original discussed here.

Here are my notes from the first glance analysis:

[root@4hteen maniac-Rk]# pwd
/dev/..?./maniac-Rk
[root@4hteen maniac-Rk]# ls -l
total 404
drwxr-xr-x   2 root     root         4096 Jun 15 10:22 bin
-rwxr-xr-x   1 root     root         5732 May  9 14:31 install.sh
-rw-r--r--   1 root     ftp         24768 May 15 16:50 log
-rw-------   1 root     root       251019 Jun  2 05:43 mbox
-rw-r--r--   1 root     ftp        106942 May 24 16:53 snifflog

************************************************************************

[root@4hteen bin]# pwd
/dev/..?./maniac-Rk/bin
[root@4hteen bin]# ls -l
total 1768
-rwxr-xr-x   1 root     root      1454773 Mar 23 09:53 PHoss
	- Sniffer
-rwxr-xr-x   1 root     root         5043 Mar 23 10:18 addlen
	- Make trojans same length as original file
-rwxr-xr-x   1 root     root        44313 Apr  2 15:24 bnc
	- Bot Net Client?  bnc.conf mentions port 6667
-rw-r--r--   1 root     ftp            52 May 11 08:19 bnc.conf
	- bnc's config file
-rwxr-xr-x   1 root     root         1080 Mar 23 10:48 clear_logs
	- Shell script log cleaner
-rwxr-xr-x   1 root     root       117311 Mar 23 10:48 du
	- Trojaned du to hide things
-rwxr-xr-x   1 root     root         7985 Mar 23 10:38 fix
	- Fixes the checksum of the trojan
-rwxr-xr-x   1 root     root        24183 May  4 15:39 grabbb
	- Banner scanner
-rwxr-xr-x   1 root     root        20868 May  8 12:18 ifconfig
	_ ifconfig - trojaned to hide promisc
-rwxr-xr-x   1 root     root        14502 May  8 12:38 in.fingerd
	- Trojaned in.fingerd...  Runs /bin/bash -i, then finger
-rwxr-xr-x   1 root     root        12436 May  8 13:04 ipz
	- I believe a scanner - from strings:
		- uso: %s <1/2/3> <A[.B[.C]]>
		- %s.%i.%i.%i
		- %s.%i.%i
		- %s.%i
-rwxr-xr-x   1 root     root        16533 Apr  3 13:30 maniac3
	- No clue.  Perhaps someone on the list can ID this
-rw-r--r--   1 root     ftp             6 Jun 14 17:57 pid.bnc
	- The pid of bnc, above.
-rwxr-xr-x   1 root     root        10496 Mar 23 10:48 pine.out
         - This is a mailer to mail pieces of the sniffer log to:
		- bnadfjg9023at_private
		- t391u9t0qit@end-war.com
		- mki62969oat_private
		- maniacat_private
-rwxr-xr-x   1 root     root         9070 May  4 14:55 slice
		- Looks to be a SYN flooder
-rw-r--r--   1 root     ftp          3309 Jun 18 08:39 snifflog
		- Log from the sniffer
-rwxr-xr-x   1 root     root         6800 Mar 23 10:48 targa3
		- A flooder, I believe.  From strings:
			- /dev/urandom
			- %starga 3.0 by Mixter
			- usage: %s <ip1> [ip2] ... [-c count]
			- cannot target more than 200 hosts!
			- no valid ips found!
			- Targets:
			- infinite
-rwxr-xr-x   1 root     root         8684 May  8 13:00 trash2
	- Yet another flooder.  From strings:
		- trash2.c - misteri0@unet [outlaw]
		- ./trash  [dst_ip] [# of packets]
		- [*] [ip_dst] :  ex: 201.12.3.76
		- [*] [number]  : 100
		- %d.%d.%d.%d
		- ERROR: Unable to resolve host %s
		- error: socket()
		- error: sendto()
		- ERROR: Opening raw socket.
		- Status: Connected....packets sent.
		- ERROR: Unable to Connect To host.

	There is at least one more file here, called sush, for su'ed
shell, I believe.  This is what running on port 45559.
	
Differences:
	Lots of files added.

	Some file removed:
	adore.o and ava prob hide themselves at the kernel level, so
		they are prob there, I just can't see them.
	ping seems to be gone, or at least moved instaed of copied.	
	tty seems to be gone.
	vanish2 seems to be gone.
	wget seems to be gone as well.

	Some files changed:
	bnc is no longer gzipped.
	grabbb is no longer zipped.
	install.sh moved down a directory.
	ipz is no longer gzipped.

************************************************************************

2 backdoors:

in /usr/sbin/mailrc
Senha errada. Foda-se l4mm0!
Bem Vindo MaNiAc 31337 a sua makina!
Voce Tem o controle! =)

in /usr/bin/pt07
Cya mandrak!

************************************************************************

in /dev/ptyxx/.proc (runlevels?)
2 eggdrop
3 maniac
2 slice
2 pine.out
2 PHoss
2 targa3
3 bnc
2 httpd
3 grabbb
3 pt07
3 mailrc
2 sh

************************************************************************

I also know it's making IRC connections, plus has at least one
rootshell running.  I can't confirm this without modifying bits
of the box, to replace ps with a known good copy, and I can't do
that until one of my colleagues looks at it to get first hand
experience.
FYI
-Andrew Heath
Systems Administrator
Cornell Cooperative Extension

Next message: Mark Andrich: "Overwhelmed........"
Previous message: Fernando Cardoso: "RE: SYN FIN Scan with src port == dst port"
Next in thread: Denis Ducamp: "Re: New maniac rootkit"
Reply: Denis Ducamp: "Re: New maniac rootkit"
Reply: Chris Huseman: "RE: New maniac rootkit"
Reply: Chris Ess: "Re: New maniac rootkit"
Reply: Daniel Martin: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 21:15:37 PDT