Howdy one of the machines on my network was rooted a week or so ago ... pretty basic acually considering the machine wa snot updated in months... anyway .. I ran all the rootkit scanners and found nothing appart from a possible RH-Sharp which I could not find any info about .. here is some details from the hack .. two directories was created names of emech and muie emech seems to have contained a eggdrop of sorts .. nothing unusuall there .. muie was more interresting.. Apprt from the infected files which was used to try and hide the hack there was a file called crontab-entry which bacisally catted all system info and mailed it to uglykidat_private other directories inside was adore-0.34 and adore-42 ... the .c files had a header containing 2001 by Stealth -- http://spider.scorpions.net/~stealth ettercap which I assume was a ethersniffer or scanner .. from the strings .. more like a scanner .. filez which seems to contain info of the hackfiles / netstat / ps / syslog information .. used I think by the infected files to hide the info contained in them .. another mech directory .. and a sshd directory ... files that were infected are : atd.init chsh clean crontab-entry du find functions ifconfig inet install install.log killall ls lsof md5sum netstat ps pstree sense shad slice sshd stealth sysinfo syslogd syslogd.init top vadim wp xinetd Lastly there was a file called vanish which I assume he used to clear out the logs of he's entry .. hope this helps somebody ... if you need the acuall binaries .. .I still have them Hent Smith ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 18:15:26 PDT