Re: Possible break in

From: Alexandros Kyriakides (alex1_at_MIT.EDU)
Date: 03/22/04

  • Next message: Thorsten Holz: "Re: Possible break in"
    Date: Mon, 22 Mar 2004 12:22:00 -0500 (EST)
    To: ben <ben@electricfork.com>
    
    

    I had ran strings on it too, and tried to find some of the strings on
    Google, but no luck. I actually searched for some of the following:

    Folosire:
    %s <uivfp> [args]
    u - Uninstall
    i - Pid invizibil
    v - Pid vizibil
    f [0/1] - Fisiere ascunse
    p [0/1] - Piduri ascunse
    Nu am reusit sa il dezinstalez (%d)
    Nu am reusit sa ascund pidul %d (%d)
    Nu am reusit sa arat pidul %d (%d)
    Failed to change %s hiding (%d)!
    Versiune: %s

    But I didn't find anything useful. I guess I should have searched for some
    of the other strings as well.

    I'm reading up on the suckit rootkit now. I added a new hard disk on the
    compromised host, and installed RH9 on it so that I can investigate the
    files on the old compromised disk. Hopefully the logs will shed some light
    on how the intruder got in.

    Thank you very much for your help.

    alex.

    On Mon, 22 Mar 2004, ben wrote:

    > Just ran strings against the two files. dbproc looks like a version of
    > the suckit rootkit, gnorp didn't look familar to me. I'd check the
    > timestamps on the two files and do a find on your system for files that
    > have been written to your filesystem since that date. then look closer
    > at any said files, and logs generated durring that time.
    >
    > -Ben
    > On Mar 22, 2004, at 10:31 AM, Alexandros Kyriakides wrote:
    >
    > >
    > > I am wondering if anyone can give me some help with this incident. The
    > > only related thing I found on-line was this:
    > >
    > > http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html
    > >
    > >
    > >
    > > The box I have is running linux mandrake 8.0. What I have found until
    > > now
    > > is the following:
    > >
    > >
    > > 1) Two new binary files:
    > >
    > > /usr/bin/dbproc
    > > /usr/bin/gnorp
    > >
    > >
    > >
    > > 2) Appended at the end of inittab and rc.local:
    > >
    > > inittab:
    > > a:2345:once:/usr/bin/dbproc
    > > a:2345:once:/bin/end
    > >
    > > rc.local:
    > > #Starting gnorp
    > > /usr/bin/gnorp
    > > #The End
    > > /bin/end
    > >
    > >
    > > 3) lsattr gives:
    > >
    > > suS-iadAcj--- /etc/inittab
    > > suS-iadAcj--- /etc/rc.local
    > >
    > >
    > >
    > >
    > > Has anyone seen this before? I am also interested in finding out how
    > > this
    > > happened, if possible. Any help is greatly appreciated.
    > >
    > >
    > > The two binary files can be found at:
    > >
    > > http://web.mit.edu/alex1/www/binaries/
    > >
    > >
    > > -----------------------------------------------------------------------
    > > ----
    > > Free 30-day trial: firewall with virus/spam protection, URL filtering,
    > > VPN,
    > > wireless security
    > >
    > > Protect your network against hackers, viruses, spam and other risks
    > > with Astaro
    > > Security Linux, the comprehensive security solution that combines six
    > > applications in one software solution for ease of use and lower total
    > > cost of
    > > ownership.
    > >
    > > Download your free trial at
    > > http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    > > -----------------------------------------------------------------------
    > > -----
    > >
    >
    >

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: Thorsten Holz: "Re: Possible break in"