Re: New maniac rootkit

From: Chris Ess (azarinat_private)
Date: Thu Jun 21 2001 - 07:34:24 PDT

Next message: Meritt James: "Another AOL trick"

Previous message: Chris Huseman: "RE: New maniac rootkit"
In reply to: Andrew Heath: "New maniac rootkit"
Next in thread: Daniel Martin: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't know of how much help I can be, but...

> -rwxr-xr-x   1 root     root        44313 Apr  2 15:24 bnc
> 	- Bot Net Client?  bnc.conf mentions port 6667
> -rw-r--r--   1 root     ftp            52 May 11 08:19 bnc.conf
> 	- bnc's config file

I think bnc is short for 'bouncer'. It's a program you use to connect to
an IRC server that allows you to alter your host information.  You might
be able to use it to mislead other sorts of applications but I'm unsure.

One thing that script kiddies like to use bouncers for is getting access
to IRC networks from which they have been banned.

> -rwxr-xr-x   1 root     root        16533 Apr  3 13:30 maniac3
> 	- No clue.  Perhaps someone on the list can ID this

Did you run strings on it?  The output could be helpful in identification.

I don't know of what that would be though.

> 	There is at least one more file here, called sush, for su'ed
> shell, I believe.  This is what running on port 45559.

Nice... I'll remember to start watching my firewall logs for that port
too.

> 	adore.o and ava prob hide themselves at the kernel level, so
> 		they are prob there, I just can't see them.

Did you try an lsmod ?

> 2 backdoors:
>
> in /usr/sbin/mailrc
> Senha errada. Foda-se l4mm0!
> Bem Vindo MaNiAc 31337 a sua makina!
> Voce Tem o controle! =)

If I /had/ to guess, I'd say that's Portuguese.

> in /dev/ptyxx/.proc (runlevels?)
> 2 eggdrop

Was there an eggdrop bin in the root kit?  (I missed it in your list if
there was one.)

> 2 httpd

(These numbers don't look like runlevels for what its worth.)

Why is this one here?  Might be a good question to ask.

> I also know it's making IRC connections, plus has at least one
> rootshell running.

That would be explained through bnc.  Also, if there was an eggdrop bin,
that would explain it too. (eggdrop is a kind of IRC bot for those who are
unfamiliar.)

> I can't confirm this without modifying bits
> of the box, to replace ps with a known good copy, and I can't do
> that until one of my colleagues looks at it to get first hand
> experience.

I'd say glean all the information you can and then wipe the box entirely
and reinstall.  Not much else you can do.

--CAE  Kujikenaikara!

Sub caelo noctis sto quod stellae mihi spem dant.

"Just a whisper.  I hear it in my ghost."
--Major Matoko Kusanagi, "Ghost in the Shell"

Next message: Meritt James: "Another AOL trick"
Previous message: Chris Huseman: "RE: New maniac rootkit"
In reply to: Andrew Heath: "New maniac rootkit"
Next in thread: Daniel Martin: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 10:44:21 PDT