Re: hpd, afb, sc, and sn

From: Greg Barnes (greg@ins.com)
Date: 12/20/02

Next message: Brad Arlt: "Re: hpd, afb, sc, and sn"

Previous message: gminick: "Re: hpd, afb, sc, and sn"
In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: Brad Arlt: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 20 Dec 2002 16:19:04 -0600
From: Greg Barnes <greg@ins.com>
To: Gordon Chamberlin <glac@visualize.com>

Gordon,

Check out:
http://www.ebagu.com/hacked.html

Friday, December 20, 2002, 3:11:31 PM, you wrote:

GC> I found suspicious looking files on a Redhat 7.1 Linux server earlier
GC> today. Can anyone confirm or deny that the machine has been hacked?

GC> The files:
GC> /usr/bin/hpd
GC> /usr/bin/afb
GC> /usr/bin/sn

GC> The following line is in /etc/rc.local:
GC> /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null

GC> The contents of hpd are:
GC> #!/bin/sh
GC> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
GC> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

GC> namp reports the following ports open:
GC> Port State Service
GC> 5/tcp open rje
GC> 22/tcp open ssh
GC> 25/tcp open smtp
GC> 53/tcp open domain
GC> 80/tcp open http
GC> 111/tcp open sunrpc
GC> 443/tcp open https
GC> 808/tcp open unknown
GC> 1024/tcp open kdm
GC> 3306/tcp open mysql
GC> 7000/tcp open afs3-fileserver
GC> 8009/tcp open ajp13

GC> According to an rpm -V, all kinds of binaries have been changed: ps,
GC> top, netstat, ifconfig, ...

GC> I copied a good version of ps in and found the two afb processes
GC> running.

GC> Anyone know about this hack, what afb does and/or how they usually get
GC> in?

GC> Embarrassedly,
GC> -Gordon

Regards,

Greg Barnes DotDot: greg at ins.com
CISA/CISSP RingRing: 918-630-3228
CCSA/CCSE BeepBeep: 800-467-1467

"But, alas, how frequently, how almost
universal it is in an author to persuade
himself of the truth of his own dogmas."
--Darwin
PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: Brad Arlt: "Re: hpd, afb, sc, and sn"
Previous message: gminick: "Re: hpd, afb, sc, and sn"
In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: Brad Arlt: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]