OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Possible break in

From: Chris Albert (albertdms.umontreal.ca)
Date: Mon Mar 22 2004 - 10:07:32 CST

Alexandros Kyriakides wrote:

>I am wondering if anyone can give me some help with this incident. The
>only related thing I found on-line was this:
>
>http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html
>
>
>
>The box I have is running linux mandrake 8.0. What I have found until now
>is the following:
>
>
>1) Two new binary files:
>
>/usr/bin/dbproc
>/usr/bin/gnorp
>
>
>
gnorp just runs dbproc, which looks like it is part of a rootkit for
hiding processes.
Running strings on that will show the location of other files (tabbed
out). Some of the text is in Roumanian:

<snip strings output>
Can't open a tty, all in use ?
Can't fork subshell, there is no way...
                                                            
HOME=/usr/include/rpms
HISTFILE=/dev/null
SHELL=/bin/bash
TERM=linux
pqrstuvwxyzabcde
0123456789abcdef
/dev/ptmx
/dev/pty
/dev/tty
/dev/null
/bin/sh
Can't execve shell!
Start...
FUCK: (%d)
Pid=%d
                                                    /usr/include/rpms/.rc
Folosire:
%s <uivfp> [args]
u - Uninstall
i - Pid invizibil
v - Pid vizibil
f [0/1] - Fisiere ascunse
p [0/1] - Piduri ascunse
Nu am reusit sa il dezinstalez (%d)
Nu am reusit sa ascund pidul %d (%d)
Nu am reusit sa arat pidul %d (%d)
Failed to change %s hiding (%d)!
Versiune: %s
Dezinstalat
Pidul %d e ascuns
Pidul %d e vizibil
file
%s hiding is now %s!
__kmalloc
/dev/kmem
RK_Init: idt=0x%08x,
sct[]=0x%08x,
FUCK: Can't find kmalloc()!
kmalloc()=0x%08x, gfp=0x%x
FUCK: Out of kernel memory!
Done, %d bytes, base=0x%08x
FUCK: Can't open %s for read/write (%d)
FUCK: IDT table read failed (offset 0x%08x)
FUCK: Can't find sys_call_table[]
FUCK: Can't read syscall %d addr
Z_Init: Allocating kernel-code memory...
core
                                                                        
            /sbin/initrpms
Fuck mai e o gasca pe aici %d
0123456789abcdefghijklmnopqrstuvwxyz
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
<NULL>
/dev/null
1.3b
rpms
                                                                        
/usr/include/rpms/zero.so
/proc/
/proc/net/
socket:[
/sbin/init
/sbin/initrpms
login
telnet
rlogin
rexec
passwd
adduser
mysql
ssword:

</snip>

Chris

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------