Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

I Was rooted

From: ah228 () CORNELL EDU (Andrew Heath)
Date: Mon, 17 Jul 2000 16:06:16 -0400

Sometime between 11 July and 17 July, one of the Linux boxes I oversee was
rooted.  RH6.2, and I believe it was through the WuFTPD bug.  Yes, I know I
shoulda have upgraded it sooner, but it was a test box.  Anyway, the
attacker used a rootkit I've not seen before, "anivnew.tar.gz."  It's not a
terribly intelligent rootkit; find and locate still work, and it doesn't
patch the RPM database.  It does trojan ps, ls, in.ftpd, tcpd, and syslogd,
as well as the sshd and sshd2, which seems a bit strange.  Things that it
does that don't make sense to me include trojaning named,  stopping and
deleting portmap, smbd, and nmbd, and removeing the imap entry from
inetd.conf.  It also adds a binary "myserver" into lib which seems to be a
root shell, spawned by the trojaned SSHs, as lsof before I pulled the plug
showed port 22 was connected to "myserver."  (In fact, lsof was accidental;
ls seemed broken.)  It also dumps a bunch of stuff in "/bin/   /

The last entry before syslog was killed was an entry from an @HOME customer
in NJ, and that same box was attached to "myserver', so that box is either
the crcaker or a crackee.
Previous By Date Next
Previous By Thread Next

Current thread: