Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rooted through in.identd on Red Hat 6.0

From: coldfire () CLOSED-NETWORKS COM (Cold Fire)
Date: Thu, 20 Apr 2000 21:01:57 +0100

On Thu, Apr 20, 2000 at 11:24:57AM +0300, Dmitry Alyabyev wrote:


echo "2 sh" >>> /dev/cui220 ; echo "2 slice2" >> /dev/cui220

;

echo "2 bnc" >>> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >>> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
echo "3 1679" >>> /dev/cui221; echo "3 5454" >> /dev/cui221;

Could you explain a reason of these lines above ?
What is /dev/cui220 (/dev/cui221)  ?



They are the datafile used by trojaned netstat/ps, it looks as if
/dev/cui220 is the date file for ps, stoping ps displaying
the 'sh' 'bnc' 'slice2' and 'pt07' processes.

/dev/cui221 appears to be for netstat, hiding connections with
a remote port of 6667 (irc) or a local port of 1679, 15678 or
5454.

There may also be datafile to hide files from ls, stop logging
of connections from different hosts, etc, etc. depending on
what binaries have been trojaned.

The hacker has placed these in /dev in an attempt to hide them,
however as they are standard files rather than devices its
quite easy to spot them with 'find /dev -type f -print'. Which
is widely publicised by CERT etc. They should also be clearly
visable in a strings /bin/netstat, etc. unless the writer of
the trojan has been more sneaky than usual..

Steve


--
'Cold Fire, Britains most notorious hacker' Observer, July 1997
'The most recent conviton was that of [Cold Fire] whose On-line
escapades spanned from hacking into educational sites to more
sinister activities such as tapping into industrial and United
States military sites.' DC Paul Cox, SO6 Scotland Yard CCU
Previous By Date Next
Previous By Thread Next

Current thread: