Re: Anyone know this rootkit (rootkits?) (details and files attached)

From: steveg (steveg@stevegcentral.com)
Date: 07/27/02


Date: Fri, 26 Jul 2002 15:01:16 -0700 (PDT)
From: steveg <steveg@stevegcentral.com>
To: Steve Bougerolle <steveb@creek-and-cowley.com>


This looks like a mix of a few different kits.
The binary seem to match the BeastKit but the sauber script (called
cleaner here) came from the t0rn kit.

Basicaly I think it's a mix of a few very common kits rolled up into one.
There might be some new "features" to this one.

On 27 Jul 2002, Steve Bougerolle wrote:

> Ok I went in to clean this up today and managed to save some files. The
> extent of one rootkit is pretty clear but there are still some leftover
> files that I don't know about. I rebuilt the whole server, not trusting
> the old system at all. Interestingly, even though I didn't touch the
> original (corrupted) partition, when I mounted it from the new system to
> extract a couple of the rootkit dirs, some files had disappeared. The
> entire directory /dev/\ \ \ was gone. I'm not sure if this is because
> I remounted it with nodev, nosuid and noexec (seems unlikely) or if this
> is explained by some mysterious hanging it used to engage in when shut
> down the "usual" way (ie, it was cleaning up after itself every time it
> shut down).
>
>
> That particular rootkit seems to have been saved (in original form) in
> /tmp as cashu.tgz, as near as I can tell, so I've re-compressed &
> attached that. It set up compromised versions of ps, ls, netstat, lpd,
> ifconfig, find, top, lsof, slocate, dir, md5sump pstree, sshd, ftpd and
> ipop3d, doing some clever stuff with checksums and what not (which makes
> me wonder if the gross ease of finding these files means there's another
> hidden part somewhere that I never did find).
>
> It created a fake library called /lib/lidps1.so and installed a
> subverted libproc.so as well. It also created a user tty1, whose home
> directory contains another rootkit that points to a directory /dev/.id.
> The executables mentioned there seem to reappear in another directory
> /dev/.so
>
> All that is pretty clear. However, there are still a few other
> suspicious files around, and if they're connected I haven't found the
> connection yet. /etc/passwd had some more mysterious users added from
> somewhere - cgi, r00t, cisco and liloboot (the root userid was weirdly
> corrupted as well) - I've attached the suspicious parts of this file. In
> /usr/sbin there are a couple binaries which had been set immutable:
> pidof and xntp3. Hooks for the latter had been added twice to the end
> of rc.sysinit, sandwiching the sshd hook.
>
> This server was sitting behind a firewall, and supposedly all ports were
> blocked except for http, which is routed to it via NAT. Thus, unless
> our local ISP is lying (which is quite possible) I'm guessing it came by
> an Apache exploit.
>
> Can anyone ID it? I've searched for the most obvious text strings
> already and not turned up anything which rang a bell.
>
> Files:
>
> http://www.creek-and-cowley.com/cashu.tar.bz2
> http://www.creek-and-cowley.com/suspicious_files.tar.bz2
>
> --
> Steve Bougerolle
> Creek & Cowley Consulting
>
> http://www.creek-and-cowley.com
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RPC EXPLOIT statdx
    ... Subject: optic rootkit ... I don't know what is the purpose of xchk. ... For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Solaris hack
    ... They most likely got in via dtspcd or ttdbserver. ... you think you have the rootkit I am talking about, ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Anyone know this rootkit (rootkits?)
    ... This rootkit as to my knowledge, opens up an ssh shell, replaces the ... U might get some pointers on google if u search for tuxkit. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: AW: nouser - rootkit ?
    ... > bright enough to find the rootkit, I sure do hope that he also realizes that ... than reinstalling it really should stop. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: nouser - rootkit ?
    ... be> doing a "feint" rootkit to mask a "real" rootkit for so few targets? ... Odd OSes are used by security nuts for just that reason. ... sploits will crash daemons (a buffer overflow is a buffer overflow), ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)