Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: coldfire () CLOSED-NETWORKS COM (Cold Fire)
Date: Thu, 20 Apr 2000 21:01:57 +0100
On Thu, Apr 20, 2000 at 11:24:57AM +0300, Dmitry Alyabyev wrote:
echo "2 sh" >>> /dev/cui220 ; echo "2 slice2" >> /dev/cui220;echo "2 bnc" >>> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >>> /dev/cui221 ; echo "2 pt07" >> /dev/cui220 echo "3 1679" >>> /dev/cui221; echo "3 5454" >> /dev/cui221; Could you explain a reason of these lines above ? What is /dev/cui220 (/dev/cui221) ?
They are the datafile used by trojaned netstat/ps, it looks as if /dev/cui220 is the date file for ps, stoping ps displaying the 'sh' 'bnc' 'slice2' and 'pt07' processes. /dev/cui221 appears to be for netstat, hiding connections with a remote port of 6667 (irc) or a local port of 1679, 15678 or 5454. There may also be datafile to hide files from ls, stop logging of connections from different hosts, etc, etc. depending on what binaries have been trojaned. The hacker has placed these in /dev in an attempt to hide them, however as they are standard files rather than devices its quite easy to spot them with 'find /dev -type f -print'. Which is widely publicised by CERT etc. They should also be clearly visable in a strings /bin/netstat, etc. unless the writer of the trojan has been more sneaky than usual.. Steve -- 'Cold Fire, Britains most notorious hacker' Observer, July 1997 'The most recent conviton was that of [Cold Fire] whose On-line escapades spanned from hacking into educational sites to more sinister activities such as tapping into industrial and United States military sites.' DC Paul Cox, SO6 Scotland Yard CCU
Current thread:
- Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)