Re: RPC EXPLOIT statdx

From: Brian (breaat_private)
Date: Wed Jan 23 2002 - 09:40:21 PST

  • Next message: Andrew Simmons: "Re: Panz root kit"

    i'm seeing more port 111 hits lately, too.  cn.net, snet.net, elim.net...
    that last one's mexico.  i think i also had a dialogue with some isp in
    italy about rpc probes, too. yes, i'm certainly seeing more... more FTP than
    usual, too, frankly.
    
    my main surprise was a HUGE burst of Nimda and other port 80 nonsense
    yesterday and today.
    
    Brian Rea
    Senior Network Engineer
    PhysioMetrics
    
    
    ----- Original Message -----
    From: John Stauffacher <stauffacherat_private>
    To: <incidentsat_private>
    Sent: Tuesday, January 22, 2002 21:05
    Subject: RPC EXPLOIT statdx
    
    
    > In the past few days my firewall has picked up a surge of rpc related
    > exploits (statdx) coming from the UK and various other off-shore sites.
    > Anyone else see any strange rpc related activity, or am I just suddenly
    > the target of pissed off script kiddies.
    >
    >
    > ++
    > John Stauffacher
    > Network Administrator
    > Chapman University
    > stauffacherat_private
    > 714-628-7249
    >
    > -----Original Message-----
    > From: Vladimir Ivaschenko [mailto:hazardat_private]
    > Sent: Tuesday, January 22, 2002 1:43 PM
    > To: incidentsat_private
    > Subject: optic rootkit (was Re: xsf/xchk)
    >
    > By using "strings" I have found that changed binaries to point to
    > files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo,
    > the name of the rootkit is "Optic Kit". I couldn't find anything
    > about it using Google. If somebody is interested, I can share
    > needed information and the rootkit itself. I have made a copy of
    > the rookit-related files that I found. wtmp was removed, and
    > /var/log/messages was cleaned to remove references about attacker
    > - e.g. FTP "connection opened" messages.
    >
    > We are going to reinstall the system, so please email me ASAP if
    > you're interested to know any additional details.
    >
    > Vladimir Ivaschenko wrote about "xsf/xchk":
    >
    > > Hi,
    > >
    > > Today a RedHat 7.1 Linux machine of my friend was compromised.
    > > I have just started investigating, so I don't have any
    > > information of how it was done. After attack login via console
    > > stopped working.
    > >
    > > I have found the following files in /usr/bin: xchk and xsf. They
    > > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
    > > sitting on port 14859. I don't know what is the purpose of xchk.
    > > killall and ps were also replaced by programs which hide xsf and
    > > xchk.
    > >
    > > Does anyone saw something similar before and can point me to some
    > > information? I tried searching for xsf / xchk in Google and
    > > didn't have any results.
    > >
    > > --
    > > Best Regards
    > > Vladimir Ivaschenko
    > > Certified Linux Engineer (RHCE)
    >
    > --
    > Best Regards
    > Vladimir Ivaschenko
    > Certified Linux Engineer (RHCE)
    >
    > ------------------------------------------------------------------------
    > ----
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 23 2002 - 10:12:17 PST