Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RedHat 6.2 boxes root'ed, shitc.tgz installed

From: Dave Dittrich <dittrich () CAC WASHINGTON EDU>
Date: Mon, 4 Dec 2000 16:45:48 -0800
Slidey,


as well as these files, /bin/egrep is trojaned.
every time this runs, it seems to start up the 3
backdoors. on startup of this particular machine,
egrep was run in /etc/rc.d/rc causing the
backdoors to be started each time the machine was
started.


Well, not *every* time.  It appears it is trojaned to run /bin/die only
when certain errors occur during execution, but this can trivially be
made to happen on demand, e.g.:

# ./egrep foo /dev/zero
egrep: memory exhausted
sh: /bin/die: No such file or directory

As seen by ltrace:

__libc_start_main(0x0804aab8, 3, 0xbffffbc4, 0x08048d50, 0x08051ebc
<unfinished
...>
__register_frame_info(0x08054aac, 0x08054c84, 0xbffffb84, 0x08048d75,
0x4010a1ec
) = 0x4010ad40
strrchr("./egrep", '/')                           = "/egrep"
strrchr("./egrep", '/')                           = "/egrep"
setlocale(6, "")                                  = "en_US"
bindtextdomain("grep", "/usr/local/share/locale") =
"/usr/local/share/locale"
textdomain("grep")                                = "grep"
getenv("GREP_OPTIONS")                            = NULL

 . . .

realloc(0x4012d008, 671092736)                    = NULL
__dcgettext(NULL, "memory exhausted", 5)          = "memory exhausted"
fprintf(0x40108a40, "%s: %s\n", "egrep", "memory exhausted") = 24
system("/bin/die" <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                            = 32256
exit(2)                                           = <void>
__deregister_frame_info(0x08054aac, 0xbffffa6c, 0x08051ed1, 0x4010a1ec,
0xbffffa
80) = 0x08054c84
+++ exited (status 2) +++

There are about a dozen places that call the function "error" (which
contains the system() call).  Does this look like what was happening
with the rc file?

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Previous By Date Next
Previous By Thread Next

Current thread: