|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: I Was rooted
From: Andrew Heath (ah228
CORNELL.EDU)Date: Mon Jul 17 2000 - 15:06:16 CDT
- Next message: Kee Hinckley: "Obfuscated URL's in spam"
- Previous message: Rune Kristian Viken: "Sudden increase in scans."
- Next in thread: Michal Nazarewicz: "Re: I Was rooted"
- Reply: Michal Nazarewicz: "Re: I Was rooted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sometime between 11 July and 17 July, one of the Linux boxes I oversee was
rooted. RH6.2, and I believe it was through the WuFTPD bug. Yes, I know I
shoulda have upgraded it sooner, but it was a test box. Anyway, the
attacker used a rootkit I've not seen before, "anivnew.tar.gz." It's not a
terribly intelligent rootkit; find and locate still work, and it doesn't
patch the RPM database. It does trojan ps, ls, in.ftpd, tcpd, and syslogd,
as well as the sshd and sshd2, which seems a bit strange. Things that it
does that don't make sense to me include trojaning named, stopping and
deleting portmap, smbd, and nmbd, and removeing the imap entry from
inetd.conf. It also adds a binary "myserver" into lib which seems to be a
root shell, spawned by the trojaned SSHs, as lsof before I pulled the plug
showed port 22 was connected to "myserver." (In fact, lsof was accidental;
ls seemed broken.) It also dumps a bunch of stuff in "/bin/ /
The last entry before syslog was killed was an entry from an HOME customer
in NJ, and that same box was attached to "myserver', so that box is either
the crcaker or a crackee.
- Next message: Kee Hinckley: "Obfuscated URL's in spam"
- Previous message: Rune Kristian Viken: "Sudden increase in scans."
- Next in thread: Michal Nazarewicz: "Re: I Was rooted"
- Reply: Michal Nazarewicz: "Re: I Was rooted"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]