Howdy

one of the machines on my network was rooted a week or so ago ... pretty
basic acually considering the machine wa snot updated in months...

anyway ..

I ran all the rootkit scanners and found nothing appart from a possible
RH-Sharp which I could not find any info about ..
here is some details from the hack ..

two directories was created names of

emech and muie

emech seems to have contained a eggdrop of sorts .. nothing unusuall there
..

muie was more interresting..

Apprt from the infected files which was used to try and hide the hack there
was a file called crontab-entry which bacisally catted all system info and
mailed it to uglykidmail.com

other directories inside was adore-0.34 and adore-42 ... the .c files had a
header containing 2001 by Stealth -- http://spider.scorpions.net/~stealth

ettercap which I assume was a ethersniffer or scanner .. from the strings ..
more like a scanner ..

filez which seems to contain info of the hackfiles / netstat / ps / syslog
information .. used I think by the infected files to hide the info contained
in them ..

another mech directory .. and a sshd directory ...

files that were infected are : atd.init chsh clean crontab-entry du find
functions ifconfig inet install install.log killall ls lsof md5sum netstat
ps pstree sense shad slice sshd stealth sysinfo
syslogd syslogd.init top vadim wp xinetd

Lastly there was a file called vanish which I assume he used to clear out
the logs of he's entry ..

hope this helps somebody ... if you need the acuall binaries .. .I still
have them

Hent Smith

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]