Re: RedHat 6.2 boxes root'ed, shitc.tgz installed

[Slidey <slidey () SLIDEY NET>]

> Andreas Östling wrote...
> > > There is a modified sshd /bin/fgry which 
listens on port 5665
> > > and /bin/in.slogind that listens on port 
19000.
> > What did the output (if any) look like when 
connecting to these ports?
> Looked like an ssh prompt (port 5665) and a 
telnet prompt (port 19000)
> --
> josh

i found shitc.tgz on a machine this afternoon. it 
was pretty similar to what has been said here. At 
the risk of repeating what someone else may have 
said, here are my findings

shitc is a pretty unexciting lrk4 style kit, with 
a separate file for each of ls, ps, netstat and 
syslogd:

/dev/hdcc for ls
/dev/hdaa for ps
/dev/ddth3 for netstat
/dev/ddtz1 for syslogd

there were a fair couple of files (scanners, dos 
programs, exploits) found in /usr/bin/.../.termcap

there were 3 backdoors:

/bin/frgy, an sshd 1.2.27 backdoor that used an 
unhidden config file located in 
/usr/local/etc/sshd_config. it used the port 5665. 
i believe the user of the sshd to be 'kpiod' but i 
couldnt verify this.

/bin/pmail, a pretty standard bindshell with the 
password "judy", listening for connections on port 
19000. each command has to be followed by a 
semi-colon as per usual bindshell (;).

/bin/udpd, a udp backdoor listening on porting 
19001. there is a corresponding program, udpc 
which i presume connects to the daemon, but this 
is untested. 

there is an additional file, /bin/die, which 
starts up each of these backdoors.

as well as these files, /bin/egrep is trojaned. 
every time this runs, it seems to start up the 3 
backdoors. on startup of this particular machine, 
egrep was run in /etc/rc.d/rc causing the 
backdoors to be started each time the machine was 
started. 

looking at the trojans using the 'stat' command, i 
believe the machine was hacked towards teh end of 
august and i presume from a home.com account as 
this was in the netstat "trojan" file.