In the past few days my firewall has picked up a surge of rpc related exploits (statdx) coming from the UK and various other off-shore sites. Anyone else see any strange rpc related activity, or am I just suddenly the target of pissed off script kiddies. ++ John Stauffacher Network Administrator Chapman University stauffacherat_private 714-628-7249 -----Original Message----- From: Vladimir Ivaschenko [mailto:hazardat_private] Sent: Tuesday, January 22, 2002 1:43 PM To: incidentsat_private Subject: optic rootkit (was Re: xsf/xchk) By using "strings" I have found that changed binaries to point to files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo, the name of the rootkit is "Optic Kit". I couldn't find anything about it using Google. If somebody is interested, I can share needed information and the rootkit itself. I have made a copy of the rookit-related files that I found. wtmp was removed, and /var/log/messages was cleaned to remove references about attacker - e.g. FTP "connection opened" messages. We are going to reinstall the system, so please email me ASAP if you're interested to know any additional details. Vladimir Ivaschenko wrote about "xsf/xchk": > Hi, > > Today a RedHat 7.1 Linux machine of my friend was compromised. > I have just started investigating, so I don't have any > information of how it was done. After attack login via console > stopped working. > > I have found the following files in /usr/bin: xchk and xsf. They > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon > sitting on port 14859. I don't know what is the purpose of xchk. > killall and ps were also replaced by programs which hide xsf and > xchk. > > Does anyone saw something similar before and can point me to some > information? I tried searching for xsf / xchk in Google and > didn't have any results. > > -- > Best Regards > Vladimir Ivaschenko > Certified Linux Engineer (RHCE) -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 08:49:44 PST