RPC EXPLOIT statdx

From: John Stauffacher (stauffacherat_private)
Date: Tue Jan 22 2002 - 18:05:32 PST

  • Next message: Brian: "Re: RPC EXPLOIT statdx"

    In the past few days my firewall has picked up a surge of rpc related
    exploits (statdx) coming from the UK and various other off-shore sites.
    Anyone else see any strange rpc related activity, or am I just suddenly
    the target of pissed off script kiddies.
    
    
    ++
    John Stauffacher
    Network Administrator
    Chapman University
    stauffacherat_private
    714-628-7249
    
    -----Original Message-----
    From: Vladimir Ivaschenko [mailto:hazardat_private] 
    Sent: Tuesday, January 22, 2002 1:43 PM
    To: incidentsat_private
    Subject: optic rootkit (was Re: xsf/xchk)
    
    By using "strings" I have found that changed binaries to point to
    files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo,
    the name of the rootkit is "Optic Kit". I couldn't find anything
    about it using Google. If somebody is interested, I can share
    needed information and the rootkit itself. I have made a copy of
    the rookit-related files that I found. wtmp was removed, and
    /var/log/messages was cleaned to remove references about attacker
    - e.g. FTP "connection opened" messages.
    
    We are going to reinstall the system, so please email me ASAP if
    you're interested to know any additional details.
    
    Vladimir Ivaschenko wrote about "xsf/xchk":
    
    > Hi,
    > 
    > Today a RedHat 7.1 Linux machine of my friend was compromised.  
    > I have just started investigating, so I don't have any 
    > information of how it was done. After attack login via console 
    > stopped working.
    > 
    > I have found the following files in /usr/bin: xchk and xsf. They
    > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
    > sitting on port 14859. I don't know what is the purpose of xchk.
    > killall and ps were also replaced by programs which hide xsf and
    > xchk.
    > 
    > Does anyone saw something similar before and can point me to some 
    > information? I tried searching for xsf / xchk in Google and 
    > didn't have any results.
    > 
    > -- 
    > Best Regards
    > Vladimir Ivaschenko
    > Certified Linux Engineer (RHCE)
    
    -- 
    Best Regards
    Vladimir Ivaschenko
    Certified Linux Engineer (RHCE)
    
    ------------------------------------------------------------------------
    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 08:49:44 PST