OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: I am not afraid. I have been hit by something, maybe you can help.
From: Andrew Hatfield (andrewABSOFT.COM.AU)
Date: Sun Aug 13 2000 - 18:56:37 CDT

this is the Linux Root Kit you have been hit with. It was used to attack a
number of hosts in Australia earlier in the year.

One of my servers was infected, and i suspect used as part of the DDOS
against Amazon (not that i like amazon), and Yahoo!.

The only completely safe way to make sure you are not infected is to
reinstall the machine.

once the attacker has root access, they change
cron
login
passwd
netstat
ps

and some other things that i cant remember off the top of my head.

if i can find the threads from SEBLUG (South East Brisbane Linux Users
Group - http://merlin.hatfields.com.au/seblug/) i will forward them on if
you're interested 

--
Andrew Hatfield

Absoft (Qld) Pty Ltd
Po Box 8072
Woolloongabba QLD 4101
Ph. (07) 3844-0500
Fx. (07) 3844-0399
http://www.absoft.com.au/

-----Original Message-----
From: Focus on Linux Mailing List
[mailto:FOCUS-LINUXSECURITYFOCUS.COM]On Behalf Of Sean Foley
Sent: Saturday, 12 August 2000 2:03 PM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: [FOCUS-LINUX] I am not afraid. I have been hit by something,
maybe you can help.

This looks like something new. My site has been up for only
a few weeks or so, and nothing really critical has been
exposed to the world. Before this I was being rather lax
about allowing telnet connections because I am away from
the site and have to work on it in my spare time, I am
moving to ssh tonight.

It started just yesterday, all logins are using a terminal
type of "dumb". I have to set my terminal type manually now
if I want to run anything useful in a text terminal. I
think the hacker has changed the login exec for all users,
somehow through telnet.

I found their stinky trail in two places, please take a
look at the following output from the two affected systems,
achem is running RH 6.2(zoot) and angel is a RH 6.0(Hedwig)
box, I am not going to hide the addresses that the slime
used to do this, they may have been spoofed but I doubt
that was possible with my filters:

angel.mydomain.com ls -algctr /usr/sbin, /bin, /sbin,
/usr/bin, /dev
...
drwxr-xr-x   2 root     root         1024 Aug 10 16:26
.backup
drwxr-xr-x  18 root     root         1024 Aug 10 20:09 ..
prw-------   1 root     root            0 Aug 11 16:32
initctl
...
---------below I see the sleeze connect pattern
in /var/log/secure
Aug 10 16:24:43 angel in.telnetd[991]: connect from
209.208.201.115
Aug 10 16:24:58 angel in.telnetd[992]: connect from
209.209.18.197

-----------------------On my other affected host...
achem.mydomain.com$ ls -algctr /usr/sbin, /bin, /sbin,
/usr/bin, /dev
...
drwxr-xr-x    2 root     root         1024 Aug 10 20:24
.backup
drwxr-xr-x   17 root     root         1024 Aug 10 20:24 ..
...
--------what a surprize, the sleezy ***holes connected to
my laptop 4 hours later from the same hosts

in /var/log/secure
Aug 10 20:21:35 achem in.telnetd[1125]: connect from
209.208.201.115
Aug 10 20:23:37 achem in.telnetd[1126]: connect from
209.209.18.197

**********************
In the /dev/.backup directories on both machines there is a
binary called login.

Thanks for looking at this, I am relatively new to Linux,
but I am not afraid. I would like to know if anyone has
seen these symptoms and if you know of the best way to get
my logins back to the normal terminal type. Any resource
suggestions would be super cool.

Sean