Re: linux 'zoot' rootkit/DoSkit/etc

From: James W. Abendschan (jwaat_private)
Date: Wed Dec 05 2001 - 00:26:05 PST

  • Next message: Thierry Zoller: "Re: Network 195.70.202.0/24 is hacker-freindly" 

    On Mon, 3 Dec 2001, I said:

[ ... ]

> I tar'd up the obviously affected files; a list is below.  Some
> excerpts:

There were lots of requests for the tarball; it's ~2mb & available at

	http://www.jammed.com/~jwa/zootkit-snapshot-20011203.tar.gz

There were no sources that I could find, save the knark stuff in
usr/src/zoot/src/.

A few config & log files point to a possible origin in in Romania:

./usr/src/zoot/ps/log/psybnc.log:Sat Dec  1 07:23:34 :connect from 80.96.164.7
./usr/src/zoot/ps/log/psybnc.log:Sat Dec  1 07:23:38 :Lost Connection from 80.96.164.7 (zodiak)
[ ... ]
./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.*
./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.*
./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.*
./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.*
./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.*
./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.*
[ ... ]
./sbin/zoot.sshd-conf:AllowHosts 80.96.9.* 80.96.164.* 80.96.165.* 217.19.10.* 216.242.179.* 194.105.19.*

216.242.179 is the odd one out; it's registered to Intelliswitch Inc. 
of West Palm Beach, FL.


Language excerpts:

./usr/src/zoot/me/Xelar.seen:SIR_X SIR_X!sadat_private none 1007329598 2 lu' SIR_X- ii va fii dor de prietenul lui cel mai bun shaddycand nu este pe net!!!
./usr/src/zoot/me/Xelar.seen:sophie sophie!~mikkiat_private none 1006898068 2 Read error: Connection reset by peer
./usr/src/zoot/me/Xelar.seen:Xx2th3Uk Xx2th3Uk!~andreeaat_private none 1006867051 2 hai baieti forta "U" craiova!!!!!!!!!!!


There was an IRC client & bot inside usr/src/zoot/me and usr/src/zoot/ps.  
Poking through the logs it looked like someone with the nick 'VALDECK' 
was the person IRC'ing from the box:

./usr/src/zoot/me/Xelar.seen:Xelar Xelar!~doomat_private none 1007315632 1 #BSDi
./usr/src/zoot/me/Xelar.seen:VALDECK-- VALDECK--!~evilat_private none 1007341555 3 VALDECK
./usr/src/zoot/me/Xelar.seen:Luclin Luclin!~insaneat_private ChaosAD!~dead@adsl-63-197-16-12.dsl.snfc21.pacbell.net 1007348187 4 aVALDECK!~evilat_private is Protecteda
./usr/src/zoot/me/Xelar.seen:Haroth Haroth!~gawdat_private Crematory!~doomedat_private 1007348187 4 aVALDECK!~evilat_private is Protecteda
./usr/src/zoot/me/Xelar.seen:CoHekar CoHekar!~doomat_private none 1006880730 3 Xelar
./usr/src/zoot/ps/USER2.LOG:~Mon Dec  3 00:21:39 :(VALDECK!~evilat_private) cine e ?

(SANITIZED.com was the hostname of the affected machine.)

The 'VALDECK' is currently in use on undernet:

| VALDECK (~evil@207-232-110-40.ip.van.radiant.net) (Internic Network)
³ ircname  :  god 
| channels : +#GENERIC @#BSDi 
³ server   : *.undernet.org (The Undernet Underworld)
| away     : VALDECK - straying in nightmares all the time. (logging on baby)



The owners of the machine have decomissioned it (the box was due to
be retired soon anyway), so the contents of the tarball is all there is.  

James



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 08:48:04 PST