OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Rooted through in.identd on Red Hat 6.0
From: Jose Nazario (joseBIOCSERVER.BIOC.CWRU.EDU)
Date: Fri Apr 21 2000 - 15:22:20 CDT

On Thu, 20 Apr 2000, Cold Fire wrote:

> They are the datafile used by trojaned netstat/ps, it looks as if
> /dev/cui220 is the date file for ps, stoping ps displaying
> the 'sh' 'bnc' 'slice2' and 'pt07' processes.

this sounds like a trivial variant of LRK4, Linux RooKit 4 (see
packetstorm for the code). last month myself and another analyst wrote
about our experiences with Shaft and how we found it on a system, mainly
as instructions to other admins on how to examine a compromised box. while
nothing new in terms of analysis methods, i think it's been pretty clear
and useful for people. it's a decent demonstration of lrk4 in the wild.
the link is:

http://biocserver.bioc.cwru.edu/~jose/shaft_analysis/node-analysis.txt

the point is that ls, find, etc.. have all most likely been trojanned,
making investigatory work worth doing from a boot floppy with some tools
(like find, ls, etc...) or mounting the disk in a new system. i think our
experiences we detail in that document underscore that point. always mount
noexec and read-only, it will save your ass.

i hope this helps. i'm writing a paper, albeit slowly, on using the /proc
tree in Linux for forensic work which should be useful for incident
handling, too.

jose nazario josebiochemistry.cwru.edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc