This e-mail has been frozen in our e-mail system. It has now been released. We apologies for the delay caused. Postmaster@qas.com ----- Original Message ----- From: "James W. Abendschan" <jwa@jammed.com> To: <incidents@securityfocus.com> Sent: Wednesday, December 05, 2001 8:26 AM Subject: Re: linux 'zoot' rootkit/DoSkit/etc > On Mon, 3 Dec 2001, I said: > > [ ... ] > > > I tar'd up the obviously affected files; a list is below. Some > > excerpts: > > There were lots of requests for the tarball; it's ~2mb & available at > > http://www.jammed.com/~jwa/zootkit-snapshot-20011203.tar.gz > > There were no sources that I could find, save the knark stuff in > usr/src/zoot/src/. > > A few config & log files point to a possible origin in in Romania: > > ./usr/src/zoot/ps/log/psybnc.log:Sat Dec 1 07:23:34 :connect from 80.96.164.7 > ./usr/src/zoot/ps/log/psybnc.log:Sat Dec 1 07:23:38 :Lost Connection from 80.96.164.7 (zodiak) > [ ... ] > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.* > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.* > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.* > [ ... ] > ./sbin/zoot.sshd-conf:AllowHosts 80.96.9.* 80.96.164.* 80.96.165.* 217.19.10.* 216.242.179.* 194.105.19.* > > 216.242.179 is the odd one out; it's registered to Intelliswitch Inc. > of West Palm Beach, FL. > > > Language excerpts: > > ./usr/src/zoot/me/Xelar.seen:SIR_X SIR_X!sad@213.233.104.80 none 1007329598 2 lu' SIR_X- ii va fii dor de prietenul lui cel mai bun shaddycand nu este pe net!!! > ./usr/src/zoot/me/Xelar.seen:sophie sophie!~mikki@casablanca3.oltenia.ro none 1006898068 2 Read error: Connection reset by peer > ./usr/src/zoot/me/Xelar.seen:Xx2th3Uk Xx2th3Uk!~andreea@80.96.0.16 none 1006867051 2 hai baieti forta "U" craiova!!!!!!!!!!! > > > There was an IRC client & bot inside usr/src/zoot/me and usr/src/zoot/ps. > Poking through the logs it looked like someone with the nick 'VALDECK' > was the person IRC'ing from the box: > > ./usr/src/zoot/me/Xelar.seen:Xelar Xelar!~doom@SANITIZED.com none 1007315632 1 #BSDi > ./usr/src/zoot/me/Xelar.seen:VALDECK-- VALDECK--!~evil@SANITIZED.com none 1007341555 3 VALDECK > ./usr/src/zoot/me/Xelar.seen:Luclin Luclin!~insane@140.186.38.10 ChaosAD!~dead@adsl-63-197-16-12.dsl.snfc21.pacbell.net 1007348187 4 aVALDECK!~evil@SANITIZED.com is Protecteda > ./usr/src/zoot/me/Xelar.seen:Haroth Haroth!~gawd@router.netron.cz Crematory!~doomed@207.231.193.201 1007348187 4 aVALDECK!~evil@SANITIZED.com is Protecteda > ./usr/src/zoot/me/Xelar.seen:CoHekar CoHekar!~doom@SANITIZED.com none 1006880730 3 Xelar > ./usr/src/zoot/ps/USER2.LOG:~Mon Dec 3 00:21:39 :(VALDECK!~evil@SANITIZED.com) cine e ? > > (SANITIZED.com was the hostname of the affected machine.) > > The 'VALDECK' is currently in use on undernet: > > | VALDECK (~evil@207-232-110-40.ip.van.radiant.net) (Internic Network) > ³ ircname : god > | channels : +#GENERIC @#BSDi > ³ server : *.undernet.org (The Undernet Underworld) > | away : VALDECK - straying in nightmares all the time. (logging on baby) > > > > The owners of the machine have decomissioned it (the box was due to > be retired soon anyway), so the contents of the tarball is all there is. > > James > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> ------------------------------------------------------- QAS Ltd. Developers of QuickAddress Software <a href="http://www.qas.com">www.qas.com</a> Registered in England: No 2582055 Registered in Australia: No 082 851 474 ------------------------------------------------------- </FONT>
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 11:04:23 PST