Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: rlw6 () SCL CWRU EDU (Richard Wash)
Date: Thu, 20 Apr 2000 20:03:44 -0400
On Thu, Apr 20, 2000 at 11:24:57AM +0300, Dmitry Alyabyev wrote:
echo "2 sh" >>> /dev/cui220 ; echo "2 slice2" >> /dev/cui220;echo "2 bnc" >>> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >>> /dev/cui221 ; echo "2 pt07" >> /dev/cui220;echo "3 1679" >>> /dev/cui221; echo "3 5454" >> /dev/cui221; Could you explain a reason of these lines above ? What is /dev/cui220 (/dev/cui221) ?
/dev/cui220 is a normal file that is used to hide things. /dev is a good place to hide files because there are normally so many files there and most admins do not know what most of them are. If a hacker puts files there, most admins will not notice anything unusual. I recognize that file format from a hacked machine that I admin. It is used to tell the trojans what files not to show in an ls (or find, etc.). If you want a good place to look, check out my analysis at: http://biocserver.cwru.edu/~jose/shaft_analysis/node-analysis.txt That file has a pretty good detail what each of that file does. It is a pretty good read, too. That appears to be a common rootkit. I have not verified this, but a friend says that this looks like a rootkit known as the "Linux Rootkit 4". If you have any more questions, I would be happy to help. Rick Wash
Current thread:
- Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)