A friend's cable modem Linux machine just got compromised

From: Sam Trenholme (abiword_bugs@yahoo.com)
Date: 05/01/02

Date: Wed, 1 May 2002 03:18:57 -0500 (CDT)
From: Sam Trenholme <abiword_bugs@yahoo.com>
To: incidents@securityfocus.com

Hello there,

A friend's cable modem linux machine was very recently
compromised; the attackers obtained root access on the
machine and modified certain system binaries in an
attempt to hide their tracks.

Anyway, it looked liked the were hiding a program
called 'xntps'. In addition, they had a modified
md5sum which would generate bogus sums for the
trojaned system files.

I did not have an oppertunity to perform a full
post-mortem system audit--the person is 300 miles away
and my first priority was to get him to get off the
'net and reinstalling his system. However, I was able
to download the trojaned 'md5sum' and 'xntps' files.

While studying Linux binaries without source is beyond
my feeble abilities, I have determined that the
modified md5sum binary attempts to read the file
/dev/srd0 and write to the file /tmp/behsdf; I suspect
the "bugus" sums are in /dev/srd0.

The system was a default rh7.1 install; I suspect that
they got in via the wu-ftpd globbing exploit.

Friends don't let friends run wu-ftpd.

- Sam

Do You Yahoo!?
La emoción e intensidad del deporte en Yahoo! Deportes. http://deportes.yahoo.com.mx

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com