Security Incidents mailing list archives

hacked

From: anton () KASKA NET (Anton)
Date: Mon, 14 Feb 2000 09:09:51 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A host I am familiar with but not admin of was hacked (RedHat) and I
was wondering if anyone has seen this specific root kit before...   I
am a little bit confused and think that the host was actually rooted
mid January and that someone else came in later with the admrocks...
possibly two visitors...

- -The binaries appeared to have been compiled on the host.
- -ADMROCKS subdir was present in the /etc/named (although empty)
- -A seldom used (if ever) account was aparently compomised and used(
some file permissions identified this user and the fact that he was
in the wheel group which is not indicated in either the passwd file
or group file (at least the ones in /etc !)
- -passwd & <unused> shadow are not used... it is obvious there is
another copy somewhere...
- -/dev/.ha exists... this is home of the source, binaries and other
goodies
- -/bin/t exists and strings --bytes=3 shows"
__gmon_start__
libc.so.6
printf
system
__deregister_frame_info
unlink
sprintf
link
_IO_stdin_used
__libc_start_main
__register_frame_info
__xstat
GLIBC_2.0
PTRh\
QVh
cat /var/log/secure | grep -v ftp > 11
cat 11 | grep -v telnet > 11
mv 11 /var/log/secure
/bin/netstat
/usr/sbin/tcpdump
/.bash_history
/dev/null
/root/.bash_history
Which I found rather amusing :-)

- -netcat appears to have been played with a tad... not real sure what
they were doing (of course I may be wrong here)
- -Found a file called "pedal" that IS related but haven't broken it
apart yet to see what it does as well as a bogus xps
- -There are signs (strong) that the inetd has been replaced along with
most of the ....shall we say about every networking related binary?)

- -login and ps have been replaced (at a minimum) with a trojan (again,
compiled locally ) and conveniently logs to a file in  /dev/ttypz
(see below)

Anybody seen this one?

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>

iQA/AwUBOKeqP4DLr7rsaSQEEQK1kgCfXaMmas8bkIcTHHnE1byVa0+P9nkAn0yb
o+ISQyX7NbyE/x2VdoUe8W7N
=dkGT
-----END PGP SIGNATURE-----

Current thread:

Question about event log events, (continued)
- - - Question about event log events JF Prieur (Feb 08)
    - Re: Compromised... Jose Nazario (Feb 07)
    - Re: Compromised... Jim Kinney (Feb 07)
    - Re: Compromised... Jon Lewis (Feb 07)
    - Re: Compromised... Joshua Krage (Feb 08)
    - Re: Compromised... Rich Burroughs (Feb 09)
    - Re: Compromised... Lane Davis (Feb 07)
    - Re: Compromised... Marianovich Felix (Feb 08)
    - Re: Compromised... Sebastian (Feb 08)
    - 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
    - hacked Anton (Feb 14)
    - Re: Compromised... Stephen J. Friedl (Feb 14)
    - Re: Compromised... Derek Vadala (Feb 14)
    - Re: Compromised... Alexandru Popa (Feb 14)