Re: Rooted through in.identd on Red Hat 6.0

[rlw6 () SCL CWRU EDU (Richard Wash)]

On Thu, Apr 20, 2000 at 11:24:57AM +0300, Dmitry Alyabyev wrote:
> echo "2 sh" >>> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
> > ;
> echo "2 bnc" >>> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
> echo "3 15678" >>> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
> > ;
> echo "3 1679" >>> /dev/cui221; echo "3 5454" >> /dev/cui221;
>
> Could you explain a reason of these lines above ?
> What is /dev/cui220 (/dev/cui221)  ?

/dev/cui220 is a normal file that is used to hide things.  /dev is a good
place to hide files because there are normally so many files there and most
admins do not know what most of them are.  If a hacker puts files there, most
admins will not notice anything unusual.

I recognize that file format from a hacked machine that I admin.  It is
used to tell the trojans what files not to show in an ls (or find, etc.).  If
you want a good place to look, check out my analysis at:
  http://biocserver.cwru.edu/~jose/shaft_analysis/node-analysis.txt

That file has a pretty good detail what each of that file does.  It is a
pretty good read, too.

That appears to be a common rootkit.  I have not verified this, but a friend
says that this looks like a rootkit known as the "Linux Rootkit 4".

If you have any more questions, I would be happy to help.
   Rick Wash