Security Incidents mailing list archives
I Was rooted
From: ah228 () CORNELL EDU (Andrew Heath)
Date: Mon, 17 Jul 2000 16:06:16 -0400
Sometime between 11 July and 17 July, one of the Linux boxes I oversee was rooted. RH6.2, and I believe it was through the WuFTPD bug. Yes, I know I shoulda have upgraded it sooner, but it was a test box. Anyway, the attacker used a rootkit I've not seen before, "anivnew.tar.gz." It's not a terribly intelligent rootkit; find and locate still work, and it doesn't patch the RPM database. It does trojan ps, ls, in.ftpd, tcpd, and syslogd, as well as the sshd and sshd2, which seems a bit strange. Things that it does that don't make sense to me include trojaning named, stopping and deleting portmap, smbd, and nmbd, and removeing the imap entry from inetd.conf. It also adds a binary "myserver" into lib which seems to be a root shell, spawned by the trojaned SSHs, as lsof before I pulled the plug showed port 22 was connected to "myserver." (In fact, lsof was accidental; ls seemed broken.) It also dumps a bunch of stuff in "/bin/ / The last entry before syslog was killed was an entry from an @HOME customer in NJ, and that same box was attached to "myserver', so that box is either the crcaker or a crackee.
Current thread:
- Re: lifestages on IRC, (continued)
- Re: lifestages on IRC Vincent Hillier (Jul 10)
- Re: lifestages on IRC T. H. Haymore (Jul 10)
- Re: scan log and subsequent response from the host's ISP Forrester, Mike (Jul 07)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Re: tin.it and others non collaborative isps. Bradley Woodward (Jul 10)
- Some stats of events Henri J. Schlereth (Jul 10)
- Re: tin.it and others non collaborative isps. gabriel rosenkoetter (Jul 10)
- Re: tin.it and others non collaborative isps. Philipp Buehler (Jul 11)
- Re: tin.it and others non collaborative isps. Richard Bejtlich (Jul 11)
- Hostile email mmurray () TAOS COM (Jul 12)
- I Was rooted Andrew Heath (Jul 17)
- Obfuscated URL's in spam Kee Hinckley (Jul 18)
- 85.85.85.85 weirdness Wozz (Jul 18)
- Re: 85.85.85.85 weirdness Pascal Bouchareine (Jul 19)
- Re: 85.85.85.85 weirdness Wozz (Jul 19)
- Re: 85.85.85.85 weirdness Jud (Jul 19)
- msnhome.talkcity.com Dirk Koopman (Jul 21)
- Re: msnhome.talkcity.com Ryan Yagatich (Jul 24)
- Anyone ever heard of "rlumkaus" virus/bug/trojan/backdoor? Litscher, Steven (Jul 21)
- tin.it and others non collaborative isps. Osvaldo Janeri Filho (Jul 07)
- Sudden increase in scans. Rune Kristian Viken (Jul 20)
- Re: Sudden increase in scans. Aaron Kelley (Jul 24)