('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus ====================================== ================================== SSH v1 Trojan Exploit, Nov 14, 2001 ====================================== ================================== Victim: RH Linux 6.0, ssh1 v1.2.26 Incident: 4:23am Nov 12, 2001 (NZDT) Using method described in http://www.securityfocus.com/archive/1/225543 "SSH crc32 compensation attack detector exploit" Machine was compromised at 4:52am Nov 12. At this point syslog stopped logging attack, last entry in log was Nov 12 04:52:18 sshd[10659]: connect from x.x.x.x Nov 12 04:52:18 sshd[10659]: log: Connection from x.x.x.x port 2564 Nov 12 04:52:21 sshd[10659]: fatal: Local: crc32 compensation attack: network attack detected Analysis: Source: Machine x.x.x.x was used in the attack, I have notified the owner of this machine, but due to it having a legitimate DNS record and belonging to a registered US company I suspect this machine is a victim too. Activity: At the exact time that syslogd stopped logging the following file was altered /etc/rc.d/rc.sysinit: Two lines added to the bottom. --- # Xntps (NTPv3 daemon) startup.. /usr/sbin/xntps --- The following system files were added or replaced with hacked versions /bin/ps /bin/ls /bin/netstat /usr/sbin/xntps /lib/libproc.so.2.0.0 /sbin/syslogd The following files/directories were added Trojan sshd setup to listen on port 33221 /lib/liblip.so/con (ssh config file) /lib/liblip.so/hk (ssh private key) /lib/liblip.so/hk.pub (ssh public key) /lib/liblip.so/sd (binary) /lib/ldd.so/tkp (perl script, looks like a sorter for LinSniffer) /lib/ldd.so/tks (binary) /lib/ldd.so/tksb (sauber, looks like a log cleaner) /usr/man/man11/carko (ddos agent, binary) /usr/man/man11/cf (binary) /usr/man/man11/nc (binary) /usr/man/man11/sshd-etc (binary) /usr/man/man11/sshd-etc-ssh (binary) /dev/ttyy11 (binary) /dev/srd0 (text, but looks encrypted) Conclusion: While I have not had time to disassemble these binaries or test to see what they do I suspect someone is setting up a DDos network, I also suspect that a script has done this due to the file times being all within the same minute. If anyone would like to have a look at these files please email me and I will send them to you. Regards, Mike ----------------------------------------- Search Engineer, S.L.I. Systems, Inc ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 13 2001 - 15:51:27 PST