Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: SSH compiled with backdoor
From: Peter Kosinar (gooberksp.sk)
Date: Wed Aug 31 2005 - 19:24:27 CDT
This mail has been originally sent to the original poster's address but
(what a surprise :-) ) it bounced because of the phony address he used.
Therefore, I'm sending it here...
> According to john, a couple of users had weak passwords, but root seemed
> well protected. From looking in all the bash_history, it appears the
> hacker came in from the website account, and did an su from there.
Hmm... did you perform some kind of post-mortem analysis of the system?
For example, did you find the john.pot file, where JTR stores the cracked
passwords? Did the /lib/java directory contain any interesting data? Did
you find the way the attacker used to obtain root (assuming that the
password wasn't cracked)?
> I found this about a month later when I logged into the box, did an ls,
> only to be met by a seg fault. A ps x showed mech.tgz trying to be
'ls' causing segfault is a common symptom of installed rootkit. Did you
look for some other misbehaving programs? In fact, as you are running a
2.4 series kernel, it might be a kernel-level rootkit called SucKit, which
is, according to my experience, quite popular among .ro badguys.
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278