Re: optic rootkit (was Re: xsf/xchk) Maybe t0rn

From: anon-ymousat_private
Date: Thu Jan 31 2002 - 16:02:47 PST

  • Next message: Sten: "Re: Apache 1.3.XX" 

    
 ('binary' encoding is not supported, stored as-is)
In-Reply-To: <20020122234318.A23130at_private>

I have also found this rootkit on a redhat7.2 system 
running wu-ftpd-2.6.1-18 behind a redhat 7.0 masq 
server. Here is what I have.

redhat7.2 system  from rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init 
scripts.
# You can put your own initialization stuff in here if 
you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
"/var/ftp/work/k"

--------everything else was deleted I guess by the kit



redhat7.2 system from rc.sysinit the last 10 lines

if [ "$PROMPT" != "no" ]; then
   /sbin/getkey i && touch /var/run/confirm
fi
wait
# Xntps (NTPv3 daemon) startup..
/usr/sbin/xntps -q
# Running Xsf ...
/usr/bin/xsf -q 1>/dev/null 2>/dev/null
# Running Xchk ...
/usr/bin/xchk 1>/dev/null 2>/dev/null

redhat 7.0 masq server /var/log/messages

Jan 30 22:34:09 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:3389 MY-IP:21 
L=60 S=0x00 I=60012 F=0x4000 T=48 SYN (#2)
Jan 30 22:34:09 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:3389 MY-IP:21 
L=52 S=0x00 I=60028 F=0x4000 T=48 (#2)
Jan 30 22:34:09 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:3389 MY-IP:21 
L=52 S=0x00 I=60039 F=0x4000 T=48 (#2)
Jan 30 22:34:14 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:3389 MY-IP:21 
L=40 S=0x00 I=62039 F=0x0000 T=239 (#2)
Jan 30 22:34:14 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:3389 MY-IP:21 
L=40 S=0x00 I=62045 F=0x0000 T=239 (#2)
Jan 30 22:39:57 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=60 S=0x00 I=21730 F=0x4000 T=48 SYN (#2)
Jan 30 22:39:57 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=52 S=0x00 I=21732 F=0x4000 T=48 (#2)
Jan 30 22:39:58 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=52 S=0x00 I=21735 F=0x4000 T=48 (#2)
Jan 30 22:39:58 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=52 S=0x00 I=21737 F=0x4000 T=48 (#2)
Jan 30 22:39:58 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=40 S=0x00 I=21742 F=0x0000 T=239 (#2)
Jan 30 22:39:58 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2626 MY-IP:21 
L=40 S=0x00 I=21743 F=0x0000 T=239 (#2)
Jan 30 23:00:10 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=60 S=0x00 I=28099 F=0x4000 T=48 SYN (#2)
Jan 30 23:00:10 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28100 F=0x4000 T=48 (#2)
Jan 30 23:00:12 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28105 F=0x4000 T=48 (#2)
Jan 30 23:00:12 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=61 S=0x00 I=28106 F=0x4000 T=48 (#2)
Jan 30 23:00:12 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28109 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28114 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=66 S=0x00 I=28115 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28116 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28118 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28119 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28120 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28121 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28122 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28123 F=0x4000 T=48 (#2)
Jan 30 23:00:13 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28124 F=0x4000 T=48 (#2)
Jan 30 23:00:14 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28125 F=0x4000 T=48 (#2)
Jan 30 23:00:14 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28126 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28129 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28130 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28131 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28132 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28137 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28138 F=0x4000 T=48 (#2)
Jan 30 23:00:15 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28141 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28142 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28144 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28145 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28146 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28147 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28148 F=0x4000 T=48 (#2)
Jan 30 23:00:16 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28149 F=0x4000 T=48 (#2)
Jan 30 23:00:17 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28150 F=0x4000 T=48 (#2)
Jan 30 23:00:17 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28151 F=0x4000 T=48 (#2)
Jan 30 23:00:17 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28152 F=0x4000 T=48 (#2)
Jan 30 23:00:17 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28153 F=0x4000 T=48 (#2)
Jan 30 23:00:18 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28154 F=0x4000 T=48 (#2)
Jan 30 23:00:18 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28155 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28156 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28157 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28158 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28159 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28160 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28161 F=0x4000 T=48 (#2)
Jan 30 23:00:19 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28162 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28163 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28164 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28165 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28166 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28167 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28168 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28169 F=0x4000 T=48 (#2)
Jan 30 23:00:20 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28170 F=0x4000 T=48 (#2)
Jan 30 23:00:21 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28171 F=0x4000 T=48 (#2)
Jan 30 23:00:21 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28177 F=0x4000 T=48 (#2)
Jan 30 23:00:22 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28187 F=0x4000 T=48 (#2)
Jan 30 23:00:22 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28188 F=0x4000 T=48 (#2)
Jan 30 23:00:22 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28191 F=0x4000 T=48 (#2)
Jan 30 23:00:22 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28192 F=0x4000 T=48 (#2)
Jan 30 23:00:22 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28194 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28196 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28197 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28198 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28199 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28200 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28201 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28202 F=0x4000 T=48 (#2)
Jan 30 23:00:23 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28203 F=0x4000 T=48 (#2)
Jan 30 23:00:24 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28204 F=0x4000 T=48 (#2)
Jan 30 23:00:24 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28205 F=0x4000 T=48 (#2)
Jan 30 23:00:24 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28209 F=0x4000 T=48 (#2)
Jan 30 23:00:24 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28210 F=0x4000 T=48 (#2)
Jan 30 23:00:25 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28212 F=0x4000 T=48 (#2)
Jan 30 23:00:25 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28213 F=0x4000 T=48 (#2)
Jan 30 23:00:25 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28214 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28217 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28218 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28219 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28220 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28221 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28222 F=0x4000 T=48 (#2)
Jan 30 23:00:26 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28223 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28224 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28225 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28226 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28227 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28228 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28229 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28230 F=0x4000 T=48 (#2)
Jan 30 23:00:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28231 F=0x4000 T=48 (#2)
Jan 30 23:00:28 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28232 F=0x4000 T=48 (#2)
Jan 30 23:00:28 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28233 F=0x4000 T=48 (#2)
Jan 30 23:00:28 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28234 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28235 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28236 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=56 S=0x00 I=28237 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=560 S=0x00 I=28238 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28239 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=68 S=0x00 I=28240 F=0x4000 T=48 (#2)
Jan 30 23:00:29 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=58 S=0x00 I=28241 F=0x4000 T=48 (#2)
Jan 30 23:00:30 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=75 S=0x00 I=28242 F=0x4000 T=48 (#2)
Jan 30 23:00:30 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=63 S=0x00 I=28243 F=0x4000 T=48 (#2)
Jan 30 23:00:30 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28244 F=0x4000 T=48 (#2)
Jan 30 23:00:30 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=62 S=0x00 I=28245 F=0x4000 T=48 (#2)
Jan 30 23:00:30 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=59 S=0x00 I=28246 F=0x4000 T=48 (#2)
Jan 30 23:00:31 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=73 S=0x00 I=28249 F=0x4000 T=48 (#2)
Jan 30 23:00:31 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=59 S=0x00 I=28251 F=0x4000 T=48 (#2)
Jan 30 23:00:32 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=124 S=0x00 I=28257 F=0x4000 T=48 (#2)
Jan 30 23:00:33 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=80 S=0x00 I=28267 F=0x4000 T=48 (#2)
Jan 30 23:00:33 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=356 S=0x00 I=28272 F=0x4000 T=48 (#2)
Jan 30 23:00:33 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=355 S=0x00 I=28274 F=0x4000 T=48 (#2)
Jan 30 23:00:34 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=172 S=0x00 I=28276 F=0x4000 T=48 (#2)
Jan 30 23:00:45 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28301 F=0x4000 T=48 (#2)
Jan 30 23:01:25 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28315 F=0x4000 T=48 (#2)
Jan 30 23:01:25 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28316 F=0x4000 T=48 (#2)
Jan 30 23:01:27 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28319 F=0x4000 T=48 (#2)
Jan 30 23:01:34 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28325 F=0x4000 T=48 (#2)
Jan 30 23:01:35 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28326 F=0x4000 T=48 (#2)
Jan 30 23:01:36 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28329 F=0x4000 T=48 (#2)
Jan 30 23:01:36 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28331 F=0x4000 T=48 (#2)
Jan 30 23:01:36 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28332 F=0x4000 T=48 (#2)
Jan 30 23:01:39 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28335 F=0x4000 T=48 (#2)
Jan 30 23:01:39 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28336 F=0x4000 T=48 (#2)
Jan 30 23:03:44 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=28557 F=0x4000 T=48 (#2)
Jan 30 23:17:10 MY kernel: Packet log: input 
ACCEPT eth0 PROTO=6 Bad-IP:2832 MY-IP:21 
L=52 S=0x00 I=20563 F=0x4000 T=48 (#2)

files found
/dev/tux/ssh2    with these files in the directory
                     hostkey        logo             sshd2_config
                     hostkey.pub     random_seed

/usr/bin   w/files in directory
                     xsf                xchk


stat /bin/ps

  File: "/bin/ps"
  Size: 62920     	Blocks: 136        IO Block: 4096   
Regular File
Device: 302h/770d	Inode: 148152      Links: 1    
Access: (0755/-rwxr-xr-x)  Uid: ( 1042/ UNKNOWN)   
Gid: ( 1037/ UNKNOWN)
Access: Thu Jan 31 06:52:57 2002
Modify: Mon Aug 27 23:16:31 2001
Change: Tue Jan 30 23:01:50 2001

hmmm Uid 1042 Gid 1037

find / -user 1042   or find / -group 1037

/bin/ls
/bin/ps
/bin/netstat
/lib/lidps1.so
/sbin/syslogd
/sbin/ifconfig
/usr/bin/dir
/usr/bin/top
/usr/bin/pstree
/usr/bin/md5sum
/usr/bin/find ---maybe more files since find is modified
/usr/bin/slocate
/usr/include/file.h
/usr/include/hosts.h
/usr/include/log.h
/usr/include/proc.h
/usr/sbin/lsof

--------------- inside of files.h 
 libext-2.so.7
.t0rn
t0rn
system
tksb
tkp
lblip.tk
tks
ldd.so
srd0
ldlib.5
lpd-scan
.log
...
s
ldd.so
system
BitchX
egg
.cl
system.log
ld.so.hash
tux
.pw

---------------------inside log.h
62.236
t0rn
torn
tornkit
216.119
216.171
home.com
dpe.net
sshd
hack
216.171

--------------------inside hosts.h

2 193.60
2 216.119
3 10152
2 216.171
0 0
2 216.171
2 65.15
4 22
4 1022
4 6667
4 18725

------------------inside of proc.h

3 t0rn
3 xsf
3 bash
3 tk
3 k
3 ssh2d
3 sh
3 in.inetd
3 eggdrop


now I guess this is a modified version of t0rn. well
any info on this or what to do next (besides a 
complete reinstall which I will do in a week or so) 
would be helpfull. 


First post here and what do you know I am a victim.

     get in where you fit in



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    

    



    

    


This archive was generated by hypermail 2b30 
: Fri Feb 01 2002 - 12:45:21 PST