Re: nasty tripwire report

From: David Worth (cesiumat_private)
Date: Wed Jan 16 2002 - 13:22:45 PST

  • Next message: GeekSpookyat_private: "Re: Trojans that use LDAP"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Heya,
    
    I have become intimately familiar with this specific rootkit recently due
    to a series of compromises which I investigated.  The rootkit's name is
    Bobkit and is written by the du-crew (DownUnder crew... Sargeant is the
    author's handle) which used to be found at http://www.du-crew.com which
    appears to have been compromised (no irony is lost here). The du-crew owns
    both du-crew.org and du-crew.com and have such cute whois entries... they
    are k-r@d.
    
    Interestingly  enough in the cases which I investigated the binaries
    seemed to be linked  against the wrong version of glibc, and were thus
    causing a SEGFAULT.  (It's always interesting to log into a box which has
    a segfaulting ls but which has an uncompromised stat)  This rootkit
    actually has several parts I didn't see in your tripwire logs which
    include things like bkit-patch whic actaully upgrades to the newest
    versions of the rootkit using a version of wget which they include.  The
    kit usually includes backdoored versions of ssh (running on ports > 1024)
    etc... If anyone wants any futher information on my experiences with the
    kit feel free to contact me.
    
    On Sun, 13 Jan 2002, Chester Jankowski wrote:
    
    > It looks like someone wasn't watching their Saturday morning cartoons
    > yesterday and decided to crack my home Linux box instead. I have included
    > the juicy bits from the tripwire report below. Now I have several questions
    > for the security experts here. Is this attack a recognized one? Any
    > suggestions for log analysis to track down the intruder? Is the only
    > recovery here a complete re-install? And lastly, is there any place I should
    > report the incident?
    
    I would look in /var/log/messages*, /var/log/daemon*, /var/log/auth.log*,
    etc for the intruder and then reinstall from scratch because it appears
    they compromised a whole chunk of libraries and such which should never be
    trusted again.
    
     - snip -
    
    > Added:
    > "/usr/lib/..."
    > "/usr/lib/.../ls"
    > "/usr/lib/.../netstat"
    > "/usr/lib/.../lsof"
    > "/usr/lib/.../bkit-ssh"
    > "/usr/lib/.../bkit-ssh/bkit-shdcfg"
    > "/usr/lib/.../bkit-ssh/bkit-shhk"
    > "/usr/lib/.../bkit-ssh/bkit-pw"
    > "/usr/lib/.../bkit-ssh/bkit-shrs"
    > "/usr/lib/.../bkit-ssh/bkit-shd.pid"
    > "/usr/lib/.../uconf.inv"
    > "/usr/lib/.../psr"
    > "/usr/lib/.../find"
    > "/usr/lib/.../pstree"
    > "/usr/lib/.../slocate"
    > "/usr/lib/.../du"
    > "/usr/lib/.../top"
    
     - snip -
    > ----------------------------------------------------------------------------
    > ---
    > Rule Name: User binaries (/usr/bin)
    > Severity Level: 66
    > ----------------------------------------------------------------------------
    > ---
    >
    > Added:
    > "/usr/bin/ntpsx"
    
     - snip -
    
    > ----------------------------------------------------------------------------
    > ---
    > Rule Name: Operating System Utilities (/bin/ls)
    > Severity Level: 100
    > ----------------------------------------------------------------------------
    > ---
    >
    > Modified:
    > "/bin/ls"
    >
    > ----------------------------------------------------------------------------
    > ---
    > Rule Name: Operating System Utilities (/bin/netstat)
    > Severity Level: 100
    > ----------------------------------------------------------------------------
    > ---
    >
    > Modified:
    > "/bin/netstat"
    >
    > ----------------------------------------------------------------------------
    > ---
    > Rule Name: Operating System Utilities (/bin/ps)
    > Severity Level: 100
    > ----------------------------------------------------------------------------
    > ---
    >
    > Modified:
    > "/bin/ps"
    >
    
     - snip -
    
    - --dave worth
    
     ... Crunch crunch crunch CRUNCH crunch crunch crunch CrunCH ...
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (FreeBSD)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE8Re8pSp8eEJaiKa8RAgmLAKCMn+gpXDUAgVUAV3UvpLxoUgROxwCeJWec
    ixSzTb4QvNP+SDJFpr5IpQE=
    =DY7P
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 17:03:53 PST