Security Incidents mailing list archives
hacked
From: anton () KASKA NET (Anton)
Date: Mon, 14 Feb 2000 09:09:51 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A host I am familiar with but not admin of was hacked (RedHat) and I was wondering if anyone has seen this specific root kit before... I am a little bit confused and think that the host was actually rooted mid January and that someone else came in later with the admrocks... possibly two visitors... - -The binaries appeared to have been compiled on the host. - -ADMROCKS subdir was present in the /etc/named (although empty) - -A seldom used (if ever) account was aparently compomised and used( some file permissions identified this user and the fact that he was in the wheel group which is not indicated in either the passwd file or group file (at least the ones in /etc !) - -passwd & <unused> shadow are not used... it is obvious there is another copy somewhere... - -/dev/.ha exists... this is home of the source, binaries and other goodies - -/bin/t exists and strings --bytes=3 shows" __gmon_start__ libc.so.6 printf system __deregister_frame_info unlink sprintf link _IO_stdin_used __libc_start_main __register_frame_info __xstat GLIBC_2.0 PTRh\ QVh cat /var/log/secure | grep -v ftp > 11 cat 11 | grep -v telnet > 11 mv 11 /var/log/secure /bin/netstat /usr/sbin/tcpdump /.bash_history /dev/null /root/.bash_history Which I found rather amusing :-) - -netcat appears to have been played with a tad... not real sure what they were doing (of course I may be wrong here) - -Found a file called "pedal" that IS related but haven't broken it apart yet to see what it does as well as a bogus xps - -There are signs (strong) that the inetd has been replaced along with most of the ....shall we say about every networking related binary?) - -login and ps have been replaced (at a minimum) with a trojan (again, compiled locally ) and conveniently logs to a file in /dev/ttypz (see below) Anybody seen this one? -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOKeqP4DLr7rsaSQEEQK1kgCfXaMmas8bkIcTHHnE1byVa0+P9nkAn0yb o+ISQyX7NbyE/x2VdoUe8W7N =dkGT -----END PGP SIGNATURE-----
Current thread:
- Question about event log events, (continued)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)
- Re: Compromised... Alexandru Popa (Feb 14)