Re: nasty tripwire report

[David Worth <cesium () ahpcc unm edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Heya,

I have become intimately familiar with this specific rootkit recently due
to a series of compromises which I investigated.  The rootkit's name is
Bobkit and is written by the du-crew (DownUnder crew... Sargeant is the
author's handle) which used to be found at http://www.du-crew.com which
appears to have been compromised (no irony is lost here). The du-crew owns
both du-crew.org and du-crew.com and have such cute whois entries... they
are k-r@d.

Interestingly  enough in the cases which I investigated the binaries
seemed to be linked  against the wrong version of glibc, and were thus
causing a SEGFAULT.  (It's always interesting to log into a box which has
a segfaulting ls but which has an uncompromised stat)  This rootkit
actually has several parts I didn't see in your tripwire logs which
include things like bkit-patch whic actaully upgrades to the newest
versions of the rootkit using a version of wget which they include.  The
kit usually includes backdoored versions of ssh (running on ports > 1024)
etc... If anyone wants any futher information on my experiences with the
kit feel free to contact me.

On Sun, 13 Jan 2002, Chester Jankowski wrote:

> It looks like someone wasn't watching their Saturday morning cartoons
> yesterday and decided to crack my home Linux box instead. I have included
> the juicy bits from the tripwire report below. Now I have several questions
> for the security experts here. Is this attack a recognized one? Any
> suggestions for log analysis to track down the intruder? Is the only
> recovery here a complete re-install? And lastly, is there any place I should
> report the incident?

I would look in /var/log/messages*, /var/log/daemon*, /var/log/auth.log*,
etc for the intruder and then reinstall from scratch because it appears
they compromised a whole chunk of libraries and such which should never be
trusted again.

 - snip -

> Added:
> "/usr/lib/..."
> "/usr/lib/.../ls"
> "/usr/lib/.../netstat"
> "/usr/lib/.../lsof"
> "/usr/lib/.../bkit-ssh"
> "/usr/lib/.../bkit-ssh/bkit-shdcfg"
> "/usr/lib/.../bkit-ssh/bkit-shhk"
> "/usr/lib/.../bkit-ssh/bkit-pw"
> "/usr/lib/.../bkit-ssh/bkit-shrs"
> "/usr/lib/.../bkit-ssh/bkit-shd.pid"
> "/usr/lib/.../uconf.inv"
> "/usr/lib/.../psr"
> "/usr/lib/.../find"
> "/usr/lib/.../pstree"
> "/usr/lib/.../slocate"
> "/usr/lib/.../du"
> "/usr/lib/.../top"

 - snip -
> ----------------------------------------------------------------------------
> ---
> Rule Name: User binaries (/usr/bin)
> Severity Level: 66
> ----------------------------------------------------------------------------
> ---
>
> Added:
> "/usr/bin/ntpsx"

 - snip -

> ----------------------------------------------------------------------------
> ---
> Rule Name: Operating System Utilities (/bin/ls)
> Severity Level: 100
> ----------------------------------------------------------------------------
> ---
>
> Modified:
> "/bin/ls"
>
> ----------------------------------------------------------------------------
> ---
> Rule Name: Operating System Utilities (/bin/netstat)
> Severity Level: 100
> ----------------------------------------------------------------------------
> ---
>
> Modified:
> "/bin/netstat"
>
> ----------------------------------------------------------------------------
> ---
> Rule Name: Operating System Utilities (/bin/ps)
> Severity Level: 100
> ----------------------------------------------------------------------------
> ---
>
> Modified:
> "/bin/ps"

 - snip -

- --dave worth

 ... Crunch crunch crunch CRUNCH crunch crunch crunch CrunCH ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8Re8pSp8eEJaiKa8RAgmLAKCMn+gpXDUAgVUAV3UvpLxoUgROxwCeJWec
ixSzTb4QvNP+SDJFpr5IpQE=
=DY7P
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com