OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Wendell Craig Baker (wbakerSPLOOSH.EMERSON.BAKER.ORG)
Date: Mon Apr 02 2001 - 21:24:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Does anyone have any clues or folklore about this one? I searched google
    (cursory) and www.securityfocus.com's stuff and didn't get an hits.

    I just came across a trojan running on a (nearly stock) Red Hat 6.0 system.
    The perl and gcc have been replaced, but that's it.

    $ ls -l /usr/man/lman
    -rwxr-xr-x 1 root root 42321 May 28 2000 /usr/man/lman

    $ md5sum /usr/man/lman
    ce0fd34c01fece10b09a52e7b491c3b7 lman

    It was started in /etc/rc.d/rc.local very simply, the last four lines
    of the file were:

            cp -f /etc/issue /etc/issue.net
            echo >> /etc/issue
        fi
        /usr/man/lman <-------------- starting it.

    When I found it the program was waiting in skb_recv_datagram (I if I read
    the ps output right)

    The machine had been hit with the rcpc.statd query an hour before, but
    nothing came of that (as far as I could see). The file /usr/man/lman had
    been there for a while. The program had obviously been running since the
    machine had booted since it had a low pid in the contiguous area with
    the rest of the persistent servers (pid=596).

    /proc/596 yielded nothing interesting save that the program had open
    a bunch of pipes and sockets.

    Using strings gives this output:

    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    printf
    random
    __strtol_internal
    getpid
    perror
    getuid
    __bzero
    recvfrom
    socket
    fprintf
    bind
    inet_addr
    __deregister_frame_info
    setsockopt
    rand
    strncmp
    sendto
    strtok
    fork
    srand
    getppid
    time
    stderr
    exit
    _IO_stdin_used
    __libc_start_main
    __register_frame_info
    GLIBC_2.0
    PTRh|
    WVSj
    212.86.185.26
    194.231.20.98
    194.241.42.162
    Must be ran as root.
    socket
    bind
    setsockopt
    newserver
    stream
    ping
    pong
    fork
    Forked into background, pid %d

    Okay, so the guy's got bad grammar "ran as root."
    No my boy, it's "run as root."

    Inverting those addresses gives:

    $ nslookup -query=ANY 162.42.241.194.in-addr.arpa.
    Server: localhost
    Address: 127.0.0.1

    *** localhost can't find 162.42.241.194.in-addr.arpa.: Non-existent host/domain

    $ nslookup -query=ANY 98.20.231.194.in-addr.arpa.
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    98.20.231.194.in-addr.arpa name = wskaelte.niederrhein.de

    Authoritative answers can be found from:
    20.231.194.in-addr.arpa nameserver = ibggate.niederrhein.de
    20.231.194.in-addr.arpa nameserver = dns1.dpn.de
    ibggate.niederrhein.de internet address = 194.77.170.1
    dns1.dpn.de internet address = 194.231.40.24

    $ nslookup -query=ANY 26.185.86.212.in-addr.arpa.
    Server: localhost
    Address: 127.0.0.1

    Non-authoritative answer:
    26.185.86.212.in-addr.arpa name = scs.internet-xs.de

    Authoritative answers can be found from:
    185.86.212.in-addr.arpa nameserver = xs1.internet-xs.de
    185.86.212.in-addr.arpa nameserver = dialin.circular.de
    185.86.212.in-addr.arpa nameserver = ns.nameserver.de