Security Incidents mailing list archives
RedHat 6.2 boxes root'ed, shitc.tgz installed
From: josh <dorqus () FREEK COM>
Date: Wed, 18 Oct 2000 11:23:20 -0400
A client of our companies had 5 or so RedHat 6.2 boxes rooted (default install, everything enabled - that's what they get for not letting us build 'em ;) The attackers left behind a tarball called 'shitc.tgz' in /usr/bin/.../.terminfo There is a modified sshd /bin/fgry which listens on port 5665 and /bin/in.slogind that listens on port 19000. There was also a bouncer, mdidentd, etc. Plus a litle shell script called "die" to install all the good stuff for you. It left text files in /dev/hdaa, /dev/ddth3, /dev/ddtz1 that are config files for the modified programs to ignore. Binaries replaced are: ls, named, nc, netstat, ps, pstree, rpc.statd, sloging, syslogd, and top. The tarball also came with some DoS tools - boink, bonk, citra, flip, frag, jolt, lod, land, land2, land2, moyari13, nestea, ntear, smbquery, ssping, syndrop, tear2, teardrop, w2, whisper, ww. The rootkit also came with a bunch of network scanning utilities and the like. Just a heads up - scan your boxes for ports 5665 and 19000. There also could be processes listening on ports 24, 63, 1900, and 6667. (If you don't already have ircd running) -- josh
Current thread:
- RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 19)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Scott Nursten (Oct 20)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Andreas Östling (Oct 20)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed josh (Oct 24)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Bill Burge (Oct 24)
- Re: RedHat 6.2 boxes root'ed, shitc.tgz installed Jeremy Gaddis (Oct 24)