Security Incidents mailing list archives
Re: RedHat 6.2 boxes root'ed, shitc.tgz installed
From: Slidey <slidey () SLIDEY NET>
Date: Sat, 2 Dec 2000 02:41:59 -0000
Andreas Östling wrote...There is a modified sshd /bin/fgry which
listens on port 5665
and /bin/in.slogind that listens on port
19000.
What did the output (if any) look like when
connecting to these ports?
Looked like an ssh prompt (port 5665) and a
telnet prompt (port 19000)
-- josh
i found shitc.tgz on a machine this afternoon. it was pretty similar to what has been said here. At the risk of repeating what someone else may have said, here are my findings shitc is a pretty unexciting lrk4 style kit, with a separate file for each of ls, ps, netstat and syslogd: /dev/hdcc for ls /dev/hdaa for ps /dev/ddth3 for netstat /dev/ddtz1 for syslogd there were a fair couple of files (scanners, dos programs, exploits) found in /usr/bin/.../.termcap there were 3 backdoors: /bin/frgy, an sshd 1.2.27 backdoor that used an unhidden config file located in /usr/local/etc/sshd_config. it used the port 5665. i believe the user of the sshd to be 'kpiod' but i couldnt verify this. /bin/pmail, a pretty standard bindshell with the password "judy", listening for connections on port 19000. each command has to be followed by a semi-colon as per usual bindshell (;). /bin/udpd, a udp backdoor listening on porting 19001. there is a corresponding program, udpc which i presume connects to the daemon, but this is untested. there is an additional file, /bin/die, which starts up each of these backdoors. as well as these files, /bin/egrep is trojaned. every time this runs, it seems to start up the 3 backdoors. on startup of this particular machine, egrep was run in /etc/rc.d/rc causing the backdoors to be started each time the machine was started. looking at the trojans using the 'stat' command, i believe the machine was hacked towards teh end of august and i presume from a home.com account as this was in the netstat "trojan" file.
Current thread:
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Slidey (Dec 05)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Dave Dittrich (Dec 06)