Personally, what I would be doing in this case is looking at the majority
of files in /bin /sbin and maybe /usr/bin (if it isn't the same as /bin)
and compare md5 checksums with a known good source. Most likely the
intruder left other droppings along in there if they used a standard
rootkit. If things like ps, ls, ifconfig, netstat and other similar
utilities do not match up, then you can then find out which rootkit they
used. If they do match the good ones, I would still worry about an LKM
rootkit being in place. At that point I would be prepared to dd the
entire hd off to the side, and run Autopsy and the coroners toolkit (TCT)
against the image and see what useful information you can garner that way.

In any case, that machine has been intruded on. Don't trust it. If you
plan on looking at it for forensic evidence, then dd the partitions so
that you know you haven't accidently tampered with the filesystem or
deleted inodes that may give you a better clue of what happened and in
what order.

Well hope that helps give you some ideas of where to go now.

Scott

On Tue, 16 Jul 2002, Mark Ruth wrote:

> I would rather call this a backdoor, except the fact you can find
> some other modified progs. like ps, ls, ... or at least a kernel module.
> There's a lil diff between a rootkit and a trojaned sshd.
>
> regards
>
> >
> >
> > Hello.
> >
> > Recently one of my OpenBSD 3.0 boxes got compromised. The
> > attacker used OpenSSH exploit and installed trojaned sshd
> > binary. There were obvious signs of compromise:
> >
> > <rootsvrtr:/root:251># ls -al /usr/sbin/sshd
> > -rwxr-xr-x 1 root wheel 966656 Oct 18 2001
> > /usr/sbin/sshd* <rootsvrtr:/root:252># md5 /usr/sbin/sshd
> > MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d
> > <rootsvrtr:/root:253># ldd /usr/sbin/sshd
> > ldd: /usr/sbin/sshd: not a dynamic executable
> > <rootsvrtr:/root:254># strings /usr/sbin/sshd | grep
> > OpenSSH_3 OpenSSH_3.4
> >
> > 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0.
> > File modification date is earlier than 3.4 release date.
> >
> > 2) Binary is statically linked, therefore much larger than
> > original sshd.
> >
> > 3) It was installed with other perms (0755) than original one (0555).
> >
> > I've compared good OpenSSH 3.4 binary with compromised one
> > and found the following:
> >
> > --- s1 Sun Jul 14 08:48:17 2002
> > +++ s2 Sun Jul 14 08:48:26 2002
> > -6,9 +6,10
> > -(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
> > +grOet2CS62G4k
> > +(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
> > [...]
> > -nobody
> > +daemon
> > [...]
> > +/etc/sshd_config
> > [...]
> > -Connection refused by tcp wrapper
> > -libwrap refuse returns
> > [...]
> > -/usr/src/usr.bin/ssh/sshd/../sshd.c
> > +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
> > [...]
> >
> > Full diff output can be found at:
> >
> http://www.frasunek.com/sshd_diff.gz
>
> And compromised sshd binary:
>
> http://www.frasunek.com/sshd_rooted.gz
>
> --
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
> * Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]