This looks like a mix of a few different kits. The binary seem to match the BeastKit but the sauber script (called cleaner here) came from the t0rn kit. Basicaly I think it's a mix of a few very common kits rolled up into one. There might be some new "features" to this one. On 27 Jul 2002, Steve Bougerolle wrote: > Ok I went in to clean this up today and managed to save some files. The > extent of one rootkit is pretty clear but there are still some leftover > files that I don't know about. I rebuilt the whole server, not trusting > the old system at all. Interestingly, even though I didn't touch the > original (corrupted) partition, when I mounted it from the new system to > extract a couple of the rootkit dirs, some files had disappeared. The > entire directory /dev/\ \ \ was gone. I'm not sure if this is because > I remounted it with nodev, nosuid and noexec (seems unlikely) or if this > is explained by some mysterious hanging it used to engage in when shut > down the "usual" way (ie, it was cleaning up after itself every time it > shut down). > > > That particular rootkit seems to have been saved (in original form) in > /tmp as cashu.tgz, as near as I can tell, so I've re-compressed & > attached that. It set up compromised versions of ps, ls, netstat, lpd, > ifconfig, find, top, lsof, slocate, dir, md5sump pstree, sshd, ftpd and > ipop3d, doing some clever stuff with checksums and what not (which makes > me wonder if the gross ease of finding these files means there's another > hidden part somewhere that I never did find). > > It created a fake library called /lib/lidps1.so and installed a > subverted libproc.so as well. It also created a user tty1, whose home > directory contains another rootkit that points to a directory /dev/.id. > The executables mentioned there seem to reappear in another directory > /dev/.so > > All that is pretty clear. However, there are still a few other > suspicious files around, and if they're connected I haven't found the > connection yet. /etc/passwd had some more mysterious users added from > somewhere - cgi, r00t, cisco and liloboot (the root userid was weirdly > corrupted as well) - I've attached the suspicious parts of this file. In > /usr/sbin there are a couple binaries which had been set immutable: > pidof and xntp3. Hooks for the latter had been added twice to the end > of rc.sysinit, sandwiching the sshd hook. > > This server was sitting behind a firewall, and supposedly all ports were > blocked except for http, which is routed to it via NAT. Thus, unless > our local ISP is lying (which is quite possible) I'm guessing it came by > an Apache exploit. > > Can anyone ID it? I've searched for the most obvious text strings > already and not turned up anything which rang a bell. > > Files: > > http://www.creek-and-cowley.com/cashu.tar.bz2 > http://www.creek-and-cowley.com/suspicious_files.tar.bz2 > > -- > Steve Bougerolle > Creek & Cowley Consulting > > http://www.creek-and-cowley.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 15:54:27 PDT