('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus In-Reply-To: <3.0.5.32.20011126231858.01d7f750at_private> >Received: (qmail 27995 invoked from network); 26 Nov 2001 22:50:15 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (66.38.151.27) > by mail.securityfocus.com with SMTP; 26 Nov 2001 22:50:15 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 6A9F1A3118; Mon, 26 Nov 2001 15:17:42 -0700 (MST) >Mailing-List: contact incidents- helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents- helpat_private> >List-Unsubscribe: <mailto:incidents- unsubscribeat_private> >List-Subscribe: <mailto:incidents- subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 6601 invoked from network); 26 Nov 2001 22:18:56 -0000 >Message-Id: <3.0.5.32.20011126231858.01d7f750at_private > >X-Sender: pvzwedenat_private >X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) >Date: Mon, 26 Nov 2001 23:18:58 +0100 >To: incidentsat_private >From: Patrick van Zweden <patrickat_private> >Subject: Re: any1 stumbled across eCkit ? >Mime-Version: 1.0 >Content-Type: text/plain; charset="us-ascii" > >At 16:40 26-11-2001 -0500, you wrote: >> >> Can you tell us more about what programs were altered and >>what directories you found the rootkit in? > >Sure. > >They tried to alter ps, dir, top, slocate, lsof, ifconfig, netstat, md5sum, >pstree, sylogd, in.fingerd, ls and installed a trojaned ssh. Most >modifucations failed due the immutable bit which is set on most important >binaries. Also xntps was installed which is a trojaned ssh deamon. The >xntps read it's config file from /lib/lblip.tk and listened on the port 48883. >Also installed (but not used on my system) were libproc.a and libproc.so >version 2.0.6. I guess they are installed to hide some process. tk = t0rnkit. a well-known rootkit which is common in the scriptkiddie world. Alot of different versions circulating. Try doing strings ps | grep / and check for suspicious strings. Go check those files and you will find the controlling file. Also check the ls trojan for the same stuff. >In /lib/ldd.so/ i found the patch script and a file called td. Strings >revealed that it is some kind of testing program but i don't know for sure. Probably not tfn2k, more likely it's stacheldraht which is also often included with those different t0rnkit versions. >Well, that's it so far. I'm currently looking for more suspicious things. >Luckily they installed programs which require glibc, which doesn't exists >on the system. So searching for the string GLIBC reveals a lot. > >If you like i can send you the whole stuff i've found so far. Contact me at pressat_private if you need more info or if you wan't me to do an analysis or something. Thanks! / Fredrik ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 08:43:22 PST