OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alvin Oga (alvin.secMail.Linux-Consulting.com)
Date: Tue Jun 05 2001 - 05:04:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    hi ya

    i've been checking my tripwire logs more carefully
    due to the other rootkit in my lan...

    found another rootkit in another dns server at a different
    domain/building/isp
            - they installed cyberkit.tgz into /etc/named/

            - i dont think they did anything... no other files found
            ( that server does not have tar installed :-)

            - it is a rh-6.0 that was patched to bind-8.2.3-REL
            but looks like the rpm patch failed ???

            ==>> dont trust that rpm finished properly ?? ===

            - i reinstalled the bind patch again...

            - for now... thats where i'm pointing the finger...
            ( that its an oops...on patch installs across the net/lan

            - there is also one ftp connect entry for that time
            about 3 minute before the time stamp for cyberkit.tgz
                    ( wu-2.6.0(1) )
                    - time to patch that anonymous ftpd one ...

    by now...
    i think they've figured out that they need to bring along
    a statically linked tar separately to unpack their kit...

    have fun
    alvin
    http://www.Linux-Sec.net

    my local copy:
    http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/

    - the contents of cyberkit.tgz ( not listed at packetstrom either )
            tar ztvf cyberkit.tgz

    drwxr-xr-x 834/xfs 0 2001-05-22 23:03 CyberRK/
    drwxr-xr-x 834/xfs 0 2000-09-13 02:50 CyberRK/dev/
    -rw-r--r-- 834/xfs 26 2001-05-22 23:03 CyberRK/dev/.1addr
    -rw-r--r-- 834/xfs 21 1999-09-09 08:48 CyberRK/dev/.1logz
    -rw-r--r-- 834/xfs 60 2001-02-28 21:22 CyberRK/dev/.1proc
    -rw-r--r-- 834/xfs 72 2000-06-16 21:55 CyberRK/dev/.1file
    -rwxr-xr-x 834/xfs 57452 1999-03-29 14:05 CyberRK/find
    -rwxr-xr-x 834/xfs 18 2001-04-16 11:21 CyberRK/hack
    -rwxr-xr-x 834/xfs 53364 2001-04-11 00:15 CyberRK/netstat
    -rwxr-xr-x 834/xfs 4568 2000-09-13 03:43 CyberRK/pg
    -rwxr-xr-x 834/xfs 13184 2000-08-22 11:28 CyberRK/pstree
    -rw-r--r-- 834/xfs 100424 2000-08-23 07:47 CyberRK/ssh.tgz
    -rwxr-xr-x 834/xfs 1382 2000-07-24 23:07 CyberRK/sz
    -rwxr-xr-x 834/xfs 7724 2001-05-22 23:03 CyberRK/t0rn
    -rwxr-xr-x 834/xfs 266140 1999-04-03 10:09 CyberRK/top
    -rwx------ 834/xfs 7165 1998-08-06 03:36 CyberRK/linsniffer
    -rwx------ 834/xfs 75 1999-10-28 14:11 CyberRK/logclear
    -rwxr-xr-x 834/xfs 4060 1999-03-05 06:59 CyberRK/sense
    -rwx------ qmaill/502 8268 1999-10-16 06:13 CyberRK/sl3
    drwxr-xr-x 711/users 0 2001-05-22 23:03 CyberRK/.t0rn/
    .. end of list ...