Security Incidents mailing list archives
Re: Machine compromised, rootkit and DDoS tools installed.
From: "Jeremy L. Gaddis" <jgaddis () JGADDIS NET>
Date: Fri, 22 Sep 2000 23:30:03 -0500
I've been very busy the past few days and haven't been able to examine the files that were installed on this system. I've taken the liberty of putting the files up for download so that anyone who wishes to may examine them. At first glance, it appears that the majority of the files are not stripped, so there might be some good info in there. I have put two separate files up for download: one is a dump of running "ls -alR" on the box, the other is a file that was found in the filesystem which contains trojaned files, exploits (e.g. nestea, ssping, mscan) and the like. Since I have no interest in the compromised box other than personal (not to mention the owner doesn't care), I can't find time right now to go through the files myself, but I would be interested in hearing about anything that anyone else finds out regarding this rootkit. The files are available at: http://www.blueriver.net/~jlgaddis/ls.txt.gz and http://www.blueriver.net/~jlgaddis/shitc.tgz. Here's what I do know, or appear to know anyways. :) (The names to the left of the colon indicate filenames). /bin/frgy: Appears to be a trojaned sshd 1.2.27. /bin/login: Trojaned version of /bin/login. The original was copied to /dev/lg0. This trojaned version appears to either spawn a root shell or pass control off to the original login. I'm not aware of how it decides which to do, however. /dev/ddth3: Appears to be a "configuration file" for the trojaned netstat, telling it what IPs and ports to block from its output. /dev/ddtz1: Possibly used by the trojaned ps to control what processes to hide. /dev/hstkey: Host key for trojaned sshd? /dev/rndmseed: Random seed file for trojaned sshd? /dev/shconf: Configuration file for sshd (the equivalent of sshd_config). /usr/sbin/in.slogind: Appears to be a trojaned version of in.telnetd. One last note: The shitc.tgz file was found (along with the uncompressed contents) under /usr/bin/.../.termcap/. Any comments, questions, etc. are welcome and appreciated. -jg -- Jeremy L. Gaddis <jgaddis () jgaddis net>
Current thread:
- Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 22)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)
- Re: Machine compromised, rootkit and DDoS tools installed. Ben Belchak (Sep 25)
- <Possible follow-ups>
- Re: Machine compromised, rootkit and DDoS tools installed. H Carvey (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Jeremy L. Gaddis (Sep 24)
- Re: Machine compromised, rootkit and DDoS tools installed. Chris Keladis (Sep 25)