Re: FYI: Bind compromise

[Roberto <cinini () TERRA ES>]

/dev/sdc0 = t0rnkit 6 ususaly /dev/sdc0/.nfs01
in.amdq = tornkit sshd 1.2.27

a lot of uk2.net hosts were compromised when the 
bind exploit came out as a increase in irc BOT's on 
ircnet network IRCnet has been seen

more info can be found at http://www.torner-
style.com about the kit.. and many previous posts on 
this mailing list also analyse this kit in detail



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A long time ago, in a galaxy far, far way, someone 
said...
> > What is in.amdq? A customized ssh daemon of 
sorts that allows anyone to
> > connect as root, or so it appears. They also must 
have used a rootkit of some
> > sort, as the process does not show up in ps 
auxw.  There is probably more to
> > the compromise, but this is all I found. This 
server was running named
> > 8.2.3-REL, which i assume was the source of the 
system compromise.  According
> > to my colo provider, everyone who had a 
collocated linux box with this
> > version of BIND had been penetrated, so it's 
possible this attack is
> > self-replicating, although I could not find any 
traces of this on the
> > compromised system. Thankfully this box isn't 
that important, and thank
> > goodness I got bind 9.1 up and running on my 
important boxes before this had
> > happened.
>
> I disagree that this is a BIND 8.2.3 exploit.  If it was 
we probably would
> have heard about it on BugTraq by now :)
>
> I've seen this rootkit (or, at least, this back door) on 
a RedHat box that
> had no business running, and was not running, 
BIND.  They were, however,
> running all sorts of other services (it was RedHat 
6.0, with *no*
> updates) that had nasty vulnerabilities.
>
> If you still have access to the compromised 
system, I think you'll find
> some files under /dev/sdc0/ (where the ssh 
backdoor gets its
> configuration).
>
> I think you will also find /usr/sbin/in.sysched.  I have 
no idea what that
> does; I've heard it may be a DDoS tool.  I haven't 
been able to find
> anything conclusive about it on google, and nothing 
on packetstorm and
> SecurityFocus.
>
> What I know about it starts with the (way too short) 
thread at
> http://plug.skylab.org/200007/msg00526.html, and 
another (also way too
> short) at http://www.linux.ie/pipermail/ilug/2000-
September/022860.html.
> As well as some stuff in Norwegian.
>
> - --
> - -----------------------------------------------------------------
-----
> Phil Brutsche                             
pbrutsch () tux creighton edu
> GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  
7E5E FD94 D264 50DE 1CFC
> GPG key id: 50DE1CFC
> GPG public key: 
http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJt
kve17HCjSeH+VANZACePVYo
> xGJp8qcMnM15tfGs2ewIo3U=
> =y0+C
> -----END PGP SIGNATURE-----