RE: hpd, afb, sc, and sn

From: Bojan Zdrnja (Bojan.Zdrnja@FER.hr)
Date: 12/21/02

Next message: deadcalm@treshna.com: "Re: hpd, afb, sc, and sn"

Previous message: Curt Wilson: "TsInternetUser priv. escalation; blank passwords; service passwords"
In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: deadcalm@treshna.com: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Bojan Zdrnja" <Bojan.Zdrnja@FER.hr>
To: "'Gordon Chamberlin'" <glac@visualize.com>, <incidents@securityfocus.com>
Date: Sat, 21 Dec 2002 16:16:27 +0100

> -----Original Message-----
> From: Gordon Chamberlin [mailto:glac@visualize.com]
> Sent: 20. prosinac 2002 22:12
> To: incidents@securityfocus.com
> Subject: hpd, afb, sc, and sn
>
>
> The contents of hpd are:
> #!/bin/sh
> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

Rootkit doesn't seem familiar to me, but this is almost certanly some
backdoor service listening at port 7000 (-p flag), which your nmap
showed later.
You can maybe try telneting to localhost port 7000 to see what banner
you get.

> According to an rpm -V, all kinds of binaries have been
> changed: ps, top, netstat, ifconfig, ...
>
> I copied a good version of ps in and found the two afb
> processes running.

Well, if you didn't see afb processes before (with old ps), your machine
is 100% compromised with binaries of common utilities changed.

> Anyone know about this hack, what afb does and/or how they
> usually get in?

If you can post those files people can analyze them.
In any case, I'd suggest making image of machines HDD (for later
analysis) and reinstalling everything from the scratch as it's pretty
obvious someone started rootkit on it.
Also, you can try starting chrootkit on your machine to see what output
you'll get.
Latest version was released yesterday (v0.38) so I'd suggest download of
it and running it on compromised machine:

http://www.chkrootkit.org/

Best regards,

Bojan Zdrnja

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Next message: deadcalm@treshna.com: "Re: hpd, afb, sc, and sn"
Previous message: Curt Wilson: "TsInternetUser priv. escalation; blank passwords; service passwords"
In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: deadcalm@treshna.com: "Re: hpd, afb, sc, and sn"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]