i'm seeing more port 111 hits lately, too. cn.net, snet.net, elim.net... that last one's mexico. i think i also had a dialogue with some isp in italy about rpc probes, too. yes, i'm certainly seeing more... more FTP than usual, too, frankly. my main surprise was a HUGE burst of Nimda and other port 80 nonsense yesterday and today. Brian Rea Senior Network Engineer PhysioMetrics ----- Original Message ----- From: John Stauffacher <stauffacherat_private> To: <incidentsat_private> Sent: Tuesday, January 22, 2002 21:05 Subject: RPC EXPLOIT statdx > In the past few days my firewall has picked up a surge of rpc related > exploits (statdx) coming from the UK and various other off-shore sites. > Anyone else see any strange rpc related activity, or am I just suddenly > the target of pissed off script kiddies. > > > ++ > John Stauffacher > Network Administrator > Chapman University > stauffacherat_private > 714-628-7249 > > -----Original Message----- > From: Vladimir Ivaschenko [mailto:hazardat_private] > Sent: Tuesday, January 22, 2002 1:43 PM > To: incidentsat_private > Subject: optic rootkit (was Re: xsf/xchk) > > By using "strings" I have found that changed binaries to point to > files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo, > the name of the rootkit is "Optic Kit". I couldn't find anything > about it using Google. If somebody is interested, I can share > needed information and the rootkit itself. I have made a copy of > the rookit-related files that I found. wtmp was removed, and > /var/log/messages was cleaned to remove references about attacker > - e.g. FTP "connection opened" messages. > > We are going to reinstall the system, so please email me ASAP if > you're interested to know any additional details. > > Vladimir Ivaschenko wrote about "xsf/xchk": > > > Hi, > > > > Today a RedHat 7.1 Linux machine of my friend was compromised. > > I have just started investigating, so I don't have any > > information of how it was done. After attack login via console > > stopped working. > > > > I have found the following files in /usr/bin: xchk and xsf. They > > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon > > sitting on port 14859. I don't know what is the purpose of xchk. > > killall and ps were also replaced by programs which hide xsf and > > xchk. > > > > Does anyone saw something similar before and can point me to some > > information? I tried searching for xsf / xchk in Google and > > didn't have any results. > > > > -- > > Best Regards > > Vladimir Ivaschenko > > Certified Linux Engineer (RHCE) > > -- > Best Regards > Vladimir Ivaschenko > Certified Linux Engineer (RHCE) > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 10:12:17 PST