Hello list, this is my first posting here, so please bear with me. A couple of days ago I found my Realnetworks Realserver suddenly restarting. A following run of 'tripwire --check' showed a changed /sbin/init and a file called 'inst' in /root. /sbin/init had nearly the same timestamp (Aug 12 23:17:29 2003) as the following log entry from the Realserver's rmerror.log file: ***12-Aug-03 23:18:12.471 rmserver(11402): Server automatically restarted due to fatal error condition This machine is a Intel server running Redhat 7.3 fully patched with all Redhat errata releases installed. Remotely accessable services are - Apache 1.3.27 (Redhat) - Bind 9.2.1 (Redhat) - ntpd 4.1.0 (Redhat) - openssh 3.1p1 (Redhat) - Postfix 1.1.13 (Simon J. Mudd RPM) - Courier-Imap 1.6.2 (RPM build out of the official sources) - Realserver 9.0.2.794 (latest release by Realnetworks) I'm not aware of any security issue in one of the above versions and according to http://service.real.com/help/faq/security/ I had the latest version of the Realserver running. It was also running as user real - not root (options User="real"; Group="real") I had a look at every logfile of every daemon, but only the Realserver logged something out of the ordinary at this time (but nothing more than the line above and the start messages). Also root's bash_history didn't show anything. The file /root/inst is a shell script that installs a rootkit named SucKIT in /usr/share/locale/es/.es12/sk, exchanges /sbin/init and starts the rootkit. After disabling this LKM i found a "sk" process running which showed up in lsof -i as following: sk 11398 root 10u IPv4 2154042 UDP *:9875 sk 11398 root 19u IPv4 2154101 UDP *:48652 sk 11398 root 20u IPv4 2154102 UDP *:6770 sk 11398 root 21u IPv4 20277877 TCP myserver.tld:rtsp->shellx.tical.net:47327 (CLOSE_WAIT) sk 11398 root 22u IPv4 20277879 TCP myserver.tld:42663->adsl-065-082-208-067.sip.jax.bellsouth.net:rtsp (CLOSE_WAIT) Maybe it's just a red herring. I'm not sure this is all that was installed on this machine though I don't have hints that there may be more. What buffles me a bit is that the timestamp of /root/inst is "Jul 13 04:48" and not "Aug 12 23:17". So, is anyone aware of a remote hole in this version of Real-/Helixserver or any other software that I'm running? Or any other comments? Thanks, Juri --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 15 2003 - 18:01:09 PDT