can't seem to find these tools/rootkit anywhere ..

From: Henti Smith (bain@reaper.org)
Date: 07/10/02 

From: "Henti Smith" <bain@reaper.org>
To: <incidents@securityfocus.com>
Date: Wed, 10 Jul 2002 01:14:15 +0200

Howdy

one of the machines on my network was rooted a week or so ago ... pretty
basic acually considering the machine wa snot updated in months...

anyway ..

I ran all the rootkit scanners and found nothing appart from a possible
RH-Sharp which I could not find any info about ..
here is some details from the hack ..

two directories was created names of

emech and muie

emech seems to have contained a eggdrop of sorts .. nothing unusuall there
..

muie was more interresting..

Apprt from the infected files which was used to try and hide the hack there
was a file called crontab-entry which bacisally catted all system info and
mailed it to uglykid@mail.com

other directories inside was adore-0.34 and adore-42 ... the .c files had a
header containing 2001 by Stealth -- http://spider.scorpions.net/~stealth

ettercap which I assume was a ethersniffer or scanner .. from the strings ..
more like a scanner ..

filez which seems to contain info of the hackfiles / netstat / ps / syslog
information .. used I think by the infected files to hide the info contained
in them ..

another mech directory .. and a sshd directory ...

files that were infected are : atd.init chsh clean crontab-entry du find
functions ifconfig inet install install.log killall ls lsof md5sum netstat
ps pstree sense shad slice sshd stealth sysinfo
syslogd syslogd.init top vadim wp xinetd

Lastly there was a file called vanish which I assume he used to clear out
the logs of he's entry ..

hope this helps somebody ... if you need the acuall binaries .. .I still
have them

Hent Smith

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: McAfee Anti Virus V4.5.1 SP1
    ... Were they "actively infected" or simply had Nachi .EXEs on them? ... I'll hazard that this is because your on-access scanner is only ... it should have detected the files after the remote process infecting ... So the machines actually became actively infected? ...
    (Security-Basics)
  • Re: Reverse Engineering Parts
    ... If you are digitizing a mechanical part, is the part a finished part, say like a casting? ... Laser Scanners are not x-ray machines. ... Adding stock not present on the casting can easily be done with clay, the scanner will see the clay as material stock and include it. ... What method of scanning do you plan to use? ...
    (alt.machines.cnc)
  • Re: Windows Server 2003 R2 Standard Edition SP2 Mapped Drive Access Problem
    ... The email server continues to work OK. ... station) of two identical machines purchased at the same time has now ... doing something to the network interface that caused all network ... Disconnecting the scanner computer from the network allowed the ...
    (microsoft.public.windows.server.general)
  • Re: Spyware.Apropos.C Watch for it!
    ... What about wiping the machines? ... > FireWall to allow it to download the needed AV vendor related files. ... > during boot] and re-run the menu again and choose which scanner you want ... It is suggested to run the scanners in both Safe Mode and Normal ...
    (microsoft.public.security.virus)
  • chkrootkit finding 2 infected files
    ... i have two SuSE Linux 9.2 machines behaving strange. ... Knoppix 3.7 and started chkrootkit 0.43. ... This finds two infected files, ... Strange thing is i have the same hashes on the maybe infected machines ...
    (comp.os.linux.misc)