Hello there, A friend's cable modem linux machine was very recently compromised; the attackers obtained root access on the machine and modified certain system binaries in an attempt to hide their tracks. Anyway, it looked liked the were hiding a program called 'xntps'. In addition, they had a modified md5sum which would generate bogus sums for the trojaned system files. I did not have an oppertunity to perform a full post-mortem system audit--the person is 300 miles away and my first priority was to get him to get off the 'net and reinstalling his system. However, I was able to download the trojaned 'md5sum' and 'xntps' files. While studying Linux binaries without source is beyond my feeble abilities, I have determined that the modified md5sum binary attempts to read the file /dev/srd0 and write to the file /tmp/behsdf; I suspect the "bugus" sums are in /dev/srd0. The system was a default rh7.1 install; I suspect that they got in via the wu-ftpd globbing exploit. Friends don't let friends run wu-ftpd. - Sam _________________________________________________________ Do You Yahoo!? La emoción e intensidad del deporte en Yahoo! Deportes. http://deportes.yahoo.com.mx ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 08:35:54 PDT