|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alvin Oga (alvin.sec
Mail.Linux-Consulting.com)Date: Sun Jun 03 2001 - 06:43:21 CDT
hi ya
for those of you looking at this stuff,...
i missed one file .... that tripwire found ...that i skipped over
-rwxr-xr-x 1 root root 14443 May 31 09:54 /usr/lib/pt07*
thanx
alvin
http://www.Linux-Sec.net
> On Sat, 2 Jun 2001, Michal Zalewski wrote:
>
> > On Fri, 1 Jun 2001, Alvin Oga wrote:
> >
> > > just was curious why i couldnt find any references on any of the
> > > "unique" keywords ( maniac-Rk, grabb, ipz.gz ...
> >
> > I haven't seen it anywhere else, but it seems to be built using
> > publicly available, common stuff...
> >
> > > -rwxr-xr-x 1 root root 5043 Mar 23 07:18 addlen*
> >
> > This is a program to pad replaced file with zeros to match its original
> > size.
> >
> > > -rw-r--r-- 1 root root 5744 May 31 10:10 adore.o
> > > -rwxr-xr-x 1 root root 14248 May 31 10:10 ava*
> >
> > That is pretty popular kernel-level backdoor, designed by stealth (to
> > parts, kernel-space and user-space).
> >
> > > -rwxr-xr-x 1 root root 1080 Mar 23 07:48 clear_logs*
> >
> > Hard to identify - pretty small, probably invokes vanish2 (is it a shell
> > script?).
> >
> > > -rwxr-xr-x 1 root root 7985 Mar 23 07:38 fix*
> >
> > This one is used to fix checksums of files (not md5 digests ;).
> >
> > > -rwxr-xr-x 1 root root 10171 May 4 12:39 grabbb.gz*
> >
> > That would be a banner scanner, publicly available.
> >
> > > -rwxr-xr-x 1 root root 5220 Jun 1 18:53 install.sh*
> >
> > ...and this script would invoke 'addlen' and 'fix' ;)
> >
> > > -rwxr-xr-x 1 root root 4734 May 8 10:04 ipz.gz*
> >
> > /* members.xoom.com/i0wnu
> > * IPZ by Mixter (c) 1999
> > * Generates IP Addresses for Class A/B/C SubNets
> > * in non-sequential order (for unnoticed scanning). */
> >
> > > -rwxr-xr-x 1 root root 10496 Mar 23 07:48 pine.out*
> >
> > (unidentified, probably worth a look)
> >
> > > -rwxr-xr-x 1 root root 9070 May 4 11:55 slice*
> >
> > This seems to be one of DDoS attack proggies.
> >
> > > -rwxr-xr-x 1 root root 15335 May 31 09:58 ping*
> >
> > Well, that would be standard ping utility, I presume, carried for some
> > reason.
> >
> > > -rw-r--r-- 1 root root 19700 Jun 1 18:03 snifflog
> > > ---s--s--x 1 root root 11869 Apr 4 19:10 sush*
> >
> > This one is pretty interesting. I know only a few exploits that use this
> > name:
> >
> > - suidperl
> > - old crontab exploit
> > - Linux 2.2 capabilities exploit
> >
> > But last two uses /tmp, not current directory, for creating 'sush'.
> >
> > > -rwxr-xr-x 1 root root 12405 May 31 09:38 vanish2.gz*
> >
> > And that would be another log cleaner.
> >
> > > -rwxr-xr-x 1 root root 58068 May 19 06:58 wget.gz*
> > > -rwxr-xr-x 1 root root 20445 Apr 2 12:24 bnc.gz*
> > > -rwxr-xr-x 1 root root 14319 May 31 10:05 tty*
> >
> > These proggies seems to be not harmful.
> >
> > --
> > _____________________________________________________
> > Michal Zalewski [lcamtufbos.bindview.com] [security]
> > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
> > =-=> Did you know that clones never use mirrors? <=-=
> >
> >
> >
> >
> >
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]