Re: any1 stumbled across eCkit ?

From: Fredrik Ostergren (fredrik.ostergren@freebox.com)
Date: 11/29/01 

Date: 29 Nov 2001 09:55:44 -0000
Message-ID: <20011129095544.14471.qmail@mail.securityfocus.com>
From: Fredrik Ostergren <fredrik.ostergren@freebox.com>
To: incidents@securityfocus.com
Subject: Re: any1 stumbled across eCkit ?
('binary' encoding is not supported, stored as-is) Mailer: SecurityFocus
In-Reply-To: <3.0.5.32.20011126231858.01d7f750@192.168.168.1>

>Received: (qmail 27995 invoked from network); 26
Nov 2001 22:50:15 -0000
>Received: from outgoing3.securityfocus.com
(HELO outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 26 Nov
2001 22:50:15 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix)
with QMQP
> id 6A9F1A3118; Mon, 26 Nov 2001
15:17:42 -0700 (MST)
>Mailing-List: contact incidents-
help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents@securityfocus.com>
>List-Help: <mailto:incidents-
help@securityfocus.com>
>List-Unsubscribe: <mailto:incidents-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:incidents-
subscribe@securityfocus.com>
>Delivered-To: mailing list
incidents@securityfocus.com
>Delivered-To: moderator for
incidents@securityfocus.com
>Received: (qmail 6601 invoked from network); 26
Nov 2001 22:18:56 -0000
>Message-Id:
<3.0.5.32.20011126231858.01d7f750@192.168.168.1
>
>X-Sender: pvzweden@192.168.168.1
>X-Mailer: QUALCOMM Windows Eudora Pro
Version 3.0.5 (32)
>Date: Mon, 26 Nov 2001 23:18:58 +0100
>To: incidents@securityfocus.com
>From: Patrick van Zweden
<patrick@vanzweden.nl.eu.org>
>Subject: Re: any1 stumbled across eCkit ?
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>
>At 16:40 26-11-2001 -0500, you wrote:
>>
>> Can you tell us more about what programs were
altered and
>>what directories you found the rootkit in?
>
>Sure.
>
>They tried to alter ps, dir, top, slocate, lsof, ifconfig,
netstat, md5sum,
>pstree, sylogd, in.fingerd, ls and installed a trojaned
ssh. Most
>modifucations failed due the immutable bit which is
set on most important
>binaries. Also xntps was installed which is a
trojaned ssh deamon. The
>xntps read it's config file from /lib/lblip.tk and listened
on the port 48883.
>Also installed (but not used on my system) were
libproc.a and libproc.so
>version 2.0.6. I guess they are installed to hide
some process.

tk = t0rnkit.

a well-known rootkit which is common in the
scriptkiddie world. Alot of different versions
circulating. Try doing strings ps | grep /
and check for suspicious strings. Go check those
files and you will find the controlling file. Also check
the ls trojan for the same stuff.

>In /lib/ldd.so/ i found the patch script and a file called
td. Strings
>revealed that it is some kind of testing program but i
don't know for sure.

Probably not tfn2k, more likely it's stacheldraht which
is also often included with those different t0rnkit
versions.

>Well, that's it so far. I'm currently looking for more
suspicious things.
>Luckily they installed programs which require glibc,
which doesn't exists
>on the system. So searching for the string GLIBC
reveals a lot.
>
>If you like i can send you the whole stuff i've found
so far.

Contact me at press@alldas.de if you need more info
or if you wan't me to do an analysis or something.
Thanks!

/ Fredrik

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com