Security Incidents mailing list archives
Re: FYI: Bind compromise
From: Roberto <cinini () TERRA ES>
Date: Thu, 22 Feb 2001 00:36:00 -0000
/dev/sdc0 = t0rnkit 6 ususaly /dev/sdc0/.nfs01 in.amdq = tornkit sshd 1.2.27 a lot of uk2.net hosts were compromised when the bind exploit came out as a increase in irc BOT's on ircnet network IRCnet has been seen more info can be found at http://www.torner- style.com about the kit.. and many previous posts on this mailing list also analyse this kit in detail
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone
said...
What is in.amdq? A customized ssh daemon of
sorts that allows anyone to
connect as root, or so it appears. They also must
have used a rootkit of some
sort, as the process does not show up in ps
auxw. There is probably more to
the compromise, but this is all I found. This
server was running named
8.2.3-REL, which i assume was the source of the
system compromise. According
to my colo provider, everyone who had a
collocated linux box with this
version of BIND had been penetrated, so it's
possible this attack is
self-replicating, although I could not find any
traces of this on the
compromised system. Thankfully this box isn't
that important, and thank
goodness I got bind 9.1 up and running on my
important boxes before this had
happened.I disagree that this is a BIND 8.2.3 exploit. If it was
we probably would
have heard about it on BugTraq by now :) I've seen this rootkit (or, at least, this back door) on
a RedHat box that
had no business running, and was not running,
BIND. They were, however,
running all sorts of other services (it was RedHat
6.0, with *no*
updates) that had nasty vulnerabilities. If you still have access to the compromised
system, I think you'll find
some files under /dev/sdc0/ (where the ssh
backdoor gets its
configuration). I think you will also find /usr/sbin/in.sysched. I have
no idea what that
does; I've heard it may be a DDoS tool. I haven't
been able to find
anything conclusive about it on google, and nothing
on packetstorm and
SecurityFocus. What I know about it starts with the (way too short)
thread at
http://plug.skylab.org/200007/msg00526.html, and
another (also way too
short) at http://www.linux.ie/pipermail/ilug/2000-
September/022860.html.
As well as some stuff in Norwegian. - -- - -----------------------------------------------------------------
-----
Phil Brutsche
pbrutsch () tux creighton edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D
7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC GPG public key:
http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE6kw1I/ZTSZFDeHPwRAnCiAJ9M0VX4PGjJt kve17HCjSeH+VANZACePVYo
xGJp8qcMnM15tfGs2ewIo3U= =y0+C -----END PGP SIGNATURE-----
Current thread:
- Re: FYI: Bind compromise, (continued)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise gabriel rosenkoetter (Feb 20)
- Re: Bind compromise Jason Lewis (Feb 20)
- Re: Bind compromise Antonio Carlos Pina (Feb 21)
- Re: Bind compromise John (Feb 21)
- Re: FYI: Bind compromise Phil Brutsche (Feb 20)
- Re: FYI: Bind compromise Jim Olsen (Feb 21)
- Re: FYI: Bind compromise Jason Lewis (Feb 21)
- Re: FYI: Bind compromise Roberto (Feb 21)