This e-mail has been frozen in our e-mail system. It has now been released. We apologies for the delay caused. Postmasterat_private ----- Original Message ----- From: "James W. Abendschan" <jwaat_private> To: <incidentsat_private> Sent: Wednesday, December 05, 2001 8:26 AM Subject: Re: linux 'zoot' rootkit/DoSkit/etc > On Mon, 3 Dec 2001, I said: > > [ ... ] > > > I tar'd up the obviously affected files; a list is below. Some > > excerpts: > > There were lots of requests for the tarball; it's ~2mb & available at > > http://www.jammed.com/~jwa/zootkit-snapshot-20011203.tar.gz > > There were no sources that I could find, save the knark stuff in > usr/src/zoot/src/. > > A few config & log files point to a possible origin in in Romania: > > ./usr/src/zoot/ps/log/psybnc.log:Sat Dec 1 07:23:34 :connect from 80.96.164.7 > ./usr/src/zoot/ps/log/psybnc.log:Sat Dec 1 07:23:38 :Lost Connection from 80.96.164.7 (zodiak) > [ ... ] > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.* > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.* > ./usr/src/zoot/ps/psybnc.conf:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY0=80.96.165.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY1=80.96.9.* > ./usr/src/zoot/ps/psybnc.conf.old:PSYBNC.HOSTALLOWS.ENTRY2=80.96.164.* > [ ... ] > ./sbin/zoot.sshd-conf:AllowHosts 80.96.9.* 80.96.164.* 80.96.165.* 217.19.10.* 216.242.179.* 194.105.19.* > > 216.242.179 is the odd one out; it's registered to Intelliswitch Inc. > of West Palm Beach, FL. > > > Language excerpts: > > ./usr/src/zoot/me/Xelar.seen:SIR_X SIR_X!sadat_private none 1007329598 2 lu' SIR_X- ii va fii dor de prietenul lui cel mai bun shaddycand nu este pe net!!! > ./usr/src/zoot/me/Xelar.seen:sophie sophie!~mikkiat_private none 1006898068 2 Read error: Connection reset by peer > ./usr/src/zoot/me/Xelar.seen:Xx2th3Uk Xx2th3Uk!~andreeaat_private none 1006867051 2 hai baieti forta "U" craiova!!!!!!!!!!! > > > There was an IRC client & bot inside usr/src/zoot/me and usr/src/zoot/ps. > Poking through the logs it looked like someone with the nick 'VALDECK' > was the person IRC'ing from the box: > > ./usr/src/zoot/me/Xelar.seen:Xelar Xelar!~doomat_private none 1007315632 1 #BSDi > ./usr/src/zoot/me/Xelar.seen:VALDECK-- VALDECK--!~evilat_private none 1007341555 3 VALDECK > ./usr/src/zoot/me/Xelar.seen:Luclin Luclin!~insaneat_private ChaosAD!~dead@adsl-63-197-16-12.dsl.snfc21.pacbell.net 1007348187 4 aVALDECK!~evilat_private is Protecteda > ./usr/src/zoot/me/Xelar.seen:Haroth Haroth!~gawdat_private Crematory!~doomedat_private 1007348187 4 aVALDECK!~evilat_private is Protecteda > ./usr/src/zoot/me/Xelar.seen:CoHekar CoHekar!~doomat_private none 1006880730 3 Xelar > ./usr/src/zoot/ps/USER2.LOG:~Mon Dec 3 00:21:39 :(VALDECK!~evilat_private) cine e ? > > (SANITIZED.com was the hostname of the affected machine.) > > The 'VALDECK' is currently in use on undernet: > > | VALDECK (~evil@207-232-110-40.ip.van.radiant.net) (Internic Network) > ³ ircname : god > | channels : +#GENERIC @#BSDi > ³ server : *.undernet.org (The Undernet Underworld) > | away : VALDECK - straying in nightmares all the time. (logging on baby) > > > > The owners of the machine have decomissioned it (the box was due to > be retired soon anyway), so the contents of the tarball is all there is. > > James > > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > <FONT SIZE=1 FACE="VERDANA,ARIAL" COLOR=BLUE> ------------------------------------------------------- QAS Ltd. Developers of QuickAddress Software <a href="http://www.qas.com">www.qas.com</a> Registered in England: No 2582055 Registered in Australia: No 082 851 474 ------------------------------------------------------- </FONT>
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 11:04:23 PST