A friend's cable modem Linux machine just got compromised

From: Sam Trenholme (abiword_bugsat_private)
Date: Wed May 01 2002 - 01:18:57 PDT

  • Next message: Russell Fulton: "New nimda variant?"

    Hello there,
    A friend's cable modem linux machine was very recently
    compromised; the attackers obtained root access on the
    machine and modified certain system binaries in an
    attempt to hide their tracks.  
    Anyway, it looked liked the were hiding a program
    called 'xntps'.  In addition, they had a modified
    md5sum which would generate bogus sums for the
    trojaned system files.
    I did not have an oppertunity to perform a full
    post-mortem system audit--the person is 300 miles away
    and my first priority was to get him to get off the
    'net and reinstalling his system.  However, I was able
    to download the trojaned 'md5sum' and 'xntps' files.
    While studying Linux binaries without source is beyond
    my feeble abilities, I have determined that the
    modified md5sum binary attempts to read the file
    /dev/srd0 and write to the file /tmp/behsdf; I suspect
    the "bugus" sums are in /dev/srd0.
    The system was a default rh7.1 install; I suspect that
    they got in via the wu-ftpd globbing exploit.
    Friends don't let friends run wu-ftpd.
    - Sam
    Do You Yahoo!?
    La emoción e intensidad del deporte en Yahoo! Deportes. http://deportes.yahoo.com.mx
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed May 01 2002 - 08:35:54 PDT