-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heya, I have become intimately familiar with this specific rootkit recently due to a series of compromises which I investigated. The rootkit's name is Bobkit and is written by the du-crew (DownUnder crew... Sargeant is the author's handle) which used to be found at http://www.du-crew.com which appears to have been compromised (no irony is lost here). The du-crew owns both du-crew.org and du-crew.com and have such cute whois entries... they are k-r@d. Interestingly enough in the cases which I investigated the binaries seemed to be linked against the wrong version of glibc, and were thus causing a SEGFAULT. (It's always interesting to log into a box which has a segfaulting ls but which has an uncompromised stat) This rootkit actually has several parts I didn't see in your tripwire logs which include things like bkit-patch whic actaully upgrades to the newest versions of the rootkit using a version of wget which they include. The kit usually includes backdoored versions of ssh (running on ports > 1024) etc... If anyone wants any futher information on my experiences with the kit feel free to contact me. On Sun, 13 Jan 2002, Chester Jankowski wrote: > It looks like someone wasn't watching their Saturday morning cartoons > yesterday and decided to crack my home Linux box instead. I have included > the juicy bits from the tripwire report below. Now I have several questions > for the security experts here. Is this attack a recognized one? Any > suggestions for log analysis to track down the intruder? Is the only > recovery here a complete re-install? And lastly, is there any place I should > report the incident? I would look in /var/log/messages*, /var/log/daemon*, /var/log/auth.log*, etc for the intruder and then reinstall from scratch because it appears they compromised a whole chunk of libraries and such which should never be trusted again. - snip - > Added: > "/usr/lib/..." > "/usr/lib/.../ls" > "/usr/lib/.../netstat" > "/usr/lib/.../lsof" > "/usr/lib/.../bkit-ssh" > "/usr/lib/.../bkit-ssh/bkit-shdcfg" > "/usr/lib/.../bkit-ssh/bkit-shhk" > "/usr/lib/.../bkit-ssh/bkit-pw" > "/usr/lib/.../bkit-ssh/bkit-shrs" > "/usr/lib/.../bkit-ssh/bkit-shd.pid" > "/usr/lib/.../uconf.inv" > "/usr/lib/.../psr" > "/usr/lib/.../find" > "/usr/lib/.../pstree" > "/usr/lib/.../slocate" > "/usr/lib/.../du" > "/usr/lib/.../top" - snip - > ---------------------------------------------------------------------------- > --- > Rule Name: User binaries (/usr/bin) > Severity Level: 66 > ---------------------------------------------------------------------------- > --- > > Added: > "/usr/bin/ntpsx" - snip - > ---------------------------------------------------------------------------- > --- > Rule Name: Operating System Utilities (/bin/ls) > Severity Level: 100 > ---------------------------------------------------------------------------- > --- > > Modified: > "/bin/ls" > > ---------------------------------------------------------------------------- > --- > Rule Name: Operating System Utilities (/bin/netstat) > Severity Level: 100 > ---------------------------------------------------------------------------- > --- > > Modified: > "/bin/netstat" > > ---------------------------------------------------------------------------- > --- > Rule Name: Operating System Utilities (/bin/ps) > Severity Level: 100 > ---------------------------------------------------------------------------- > --- > > Modified: > "/bin/ps" > - snip - - --dave worth ... Crunch crunch crunch CRUNCH crunch crunch crunch CrunCH ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8Re8pSp8eEJaiKa8RAgmLAKCMn+gpXDUAgVUAV3UvpLxoUgROxwCeJWec ixSzTb4QvNP+SDJFpr5IpQE= =DY7P -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 17:03:53 PST