Security Incidents mailing list archives

Re: Rooted through in.identd on Red Hat 6.0

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Fri, 21 Apr 2000 16:22:20 -0400


On Thu, 20 Apr 2000, Cold Fire wrote:

They are the datafile used by trojaned netstat/ps, it looks as if
/dev/cui220 is the date file for ps, stoping ps displaying
the 'sh' 'bnc' 'slice2' and 'pt07' processes.


this sounds like a trivial variant of LRK4, Linux RooKit 4 (see
packetstorm for the code). last month myself and another analyst wrote
about our experiences with Shaft and how we found it on a system, mainly
as instructions to other admins on how to examine a compromised box. while
nothing new in terms of analysis methods, i think it's been pretty clear
and useful for people. it's a decent demonstration of lrk4 in the wild.
the link is:

http://biocserver.bioc.cwru.edu/~jose/shaft_analysis/node-analysis.txt

the point is that ls, find, etc.. have all most likely been trojanned,
making investigatory work worth doing from a boot floppy with some tools
(like find, ls, etc...) or mounting the disk in a new system. i think our
experiences we detail in that document underscore that point. always mount
noexec and read-only, it will save your ass.

i hope this helps. i'm writing a paper, albeit slowly, on using the /proc
tree in Linux for forensic work which should be useful for incident
handling, too.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- - - Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
  - Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
  - Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
    - Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
    - RH6.1/IPChains box hacked J. J. Horner (Apr 20)
    - Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
    - Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
    - Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
    - Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
    - !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
    - Re: !!!Linux ELF infector!!! John Flux (Apr 24)
    - BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
    - Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
    - Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
    - Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)

(Thread continues...)