dtspcd and /tmp/.fakex , anyone got a copy?

From: Rune Kristian Viken (arcadeat_private)
Date: Fri Feb 22 2002 - 01:21:58 PST

Next message: Dmitri Smirnov: "RE: SNMP Scans 02/17/02"

Previous message: Raistlin: "Re: strange telnet behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Recently some solaris-servers I admin were compromised, due to not 
beeing patched against the dtspcd flaw.  Now, the prudent thing is
to just reinstall and so forth.

It would however be nice to know what had been done.  The reason we
found out about the compromise, were an entry in root's crontab that
said:

0,15,30,45 * * * * /tmp/.fakex > /dev/null 2>&1

However, due to our crontabs not having a trailing \n after the last
line, the above mentioned crontab was appended to the end of our
last crontab, thus resulting in a corrupt entry.

No /tmp cleaning regime were running on the compromised servers, but
we couldn't find the file /tmp/.fakex neither.  So, something has
cleaned that out.

Furthermore, we tried ripping out the disk of one of the cracked
servers, remounted it on a non-compromised machine, and ran md5sums
on all the entire system, compared them to what is available from
sunsolve - and found that nothing had been changed out of the 
ordinary.  


In other words, we couldn't find any rootkit.  Nor any hidden 
directories, or anything out of the ordinary.


However, we found that a server behind a firewall, that only some
of the compromised servers had access to, also had the invalid
crontab entry.  Thus, we are quite certain that the 'visitors'
managed to gain entry to the network.

Now, what I would love, is to get my hands on the exploit used, which
uses '/tmp/.fakex'.  Russel Fulton posted a capture of a part of
a packet containing /tmp/.fakex, on January 22.  Although, he has 
had no luck in aquiring the rest of the exploit/packets, as that
were the only incident with it.


Any other incidents-readers that have the rest?  Or have the exploit?
I would be _very_ interested in getting my hands on it to use as a
reference when doing the forensics on the servers.


-- 
Rune Kristian Viken


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dmitri Smirnov: "RE: SNMP Scans 02/17/02"
Previous message: Raistlin: "Re: strange telnet behavior"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Feb 23 2002 - 04:47:59 PST