This seems to be the same version of the Sun r00tkit attack I mentioned.. It seems to be a modified t0rnkit, that uses files like /tmp/x for xinetd, and xntps on the sun box was a mstream client if I remember. It comes from a script kiddiez group on ircnet, and it's something like X-ORG. There was a writeup of it on the honeynet project page.. scan 20.. Jason On 1 May 2002 at 3:18, Sam Trenholme wrote: Date sent: Wed, 1 May 2002 03:18:57 -0500 (CDT) From: Sam Trenholme <abiword_bugsat_private> Subject: A friend's cable modem Linux machine just got compromised To: incidentsat_private > Hello there, > > A friend's cable modem linux machine was very recently > compromised; the attackers obtained root access on the > machine and modified certain system binaries in an > attempt to hide their tracks. > > Anyway, it looked liked the were hiding a program > called 'xntps'. In addition, they had a modified > md5sum which would generate bogus sums for the > trojaned system files. > > I did not have an oppertunity to perform a full > post-mortem system audit--the person is 300 miles away > and my first priority was to get him to get off the > 'net and reinstalling his system. However, I was able > to download the trojaned 'md5sum' and 'xntps' files. > > While studying Linux binaries without source is beyond > my feeble abilities, I have determined that the > modified md5sum binary attempts to read the file > /dev/srd0 and write to the file /tmp/behsdf; I suspect > the "bugus" sums are in /dev/srd0. > > The system was a default rh7.1 install; I suspect that > they got in via the wu-ftpd globbing exploit. > > Friends don't let friends run wu-ftpd. > > - Sam > > > _________________________________________________________ > Do You Yahoo!? > La emoción e intensidad del deporte en Yahoo! Deportes. http://deportes.yahoo.com.mx > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Network/Security Analyst jasonat_private http://www.ifuture.com, http://www.astroadvice.com, http://www.astroeast.com Also if you are looking for an employee, I may be available soon, so feel free to contact me for my resume. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 01 2002 - 09:49:51 PDT