looks like a worm to me.

From: Fredrik Bergström (fredrik.bergstrom@cetevo.com)
Date: 12/20/01


From: fredrik.bergstrom@cetevo.com (Fredrik Bergström)
Date: Thu, 20 Dec 2001 13:38:38 GMT

Hello.

Some days ago when I logged into one of my servers, just to make some
small adjustments to a database. I to my surprise found that I could
not login as root.

Strange I thought, and called my friend who also have root access, but
he had not changed the root password.

A cold feeling swept down my back, and lots of C code scrolled by my
eyes. This server was set up for reinstallation some weeks ago, but I
had not come around doing that. And it was a standard Slackware 7
installation with about 11 months of playing around with different
server softwares.

I ran a 'ps ax' but found nothing special, or wait a minute, the list
was quite short for this machine. Its usually lots of processes going.
I went into /etc and after running "ls -ltr" (large, time, reverse) I
found that the files host, ftpaccess, ftpusers, shadow, inetd.conf was
changed on the same date and time. A file rc.d/rc.sysinit was allso
added.

Since I was not root, I could not find anything more because all those
files was root.root . I waited some hours, and then I got cold feet.
I took the bus to the server room where the server is located, and
went
'linux init=/bin/bash rw' on lilo's ass. An 'passwd' and 'sync' later
and
I had a new root password.

Okay, looking around the system now I found that the commands ps, ls,
netstat, named, inetd, crond and a couple more was modified.

With the ps out of order I ran a 'cat /proc/*/stat' to see what
processes the machine was running. The commands 'snif' and 'ras2xm'
looked a bit interesting, and so I hurried to shut them down.

Back to the /etc/rc.d/rc.sysinit file, this file did not have the +x
flag set, and therefore slackware did not run it on boot.
Good thing, this file contained one row '/usr/bin/sourcemask'.

# cat /usr/bin/sourcemask
cd /usr/man/man1/".. "/.dir
./snif >chipsul &
/usr/bin/ras2xm -p 5139 -q

The sourcemask script starts the sniffer and the other ( possible
scanning tool? ) I could not find any info anywhere about those
programs or their uses, and I dare not to run them outside a
controlled environment.

To continue, now I had found all the stuff. Or so I thought. The
/usr/man/man1/".. "/.dir did contain tools to backdoor and
bufferoverflow sshd, bind and wuftpd servers and other hacking stuff.

I searched a bit on the net, and found a nice thought about running
'find / -nouser -o -nogroup' to find suspicious files on the server.
And of it went, and it found a couple of files and one directory in
/dev.

/dev/ttyp/ contained two directories '.backup' and 'other'. .backup
had my
old version of ps, ls, inetd, inetd.conf, named and netstat. And the
'other' directory contained two scripts that seemed to configure the
appearance of the hacked ls, ps and netstat commands.

The fun in this was that /dev also contained some other files with
some fun information inside:

-----------------------------------
server:/dev# cat hdbp
2 sh
2 in.telnetd
3 rpc.rusers
3 mdump
3 chgrp
3 cron

server:/dev# cat hdaq
3 45050
3 31083

server:/dev# cat hdap
ttyp
rpc.rusers
hdaq
hdbp
hdap
lispmtopgm.2.gz
ldapdelete.2.gz
mdump

server:/dev# cat xmx
3 in.rexedcs
3 defauths dcs
3 defauths
3 rdcmound
3 rdcbac
3 w
3 s
3 psy
3 bot
3 scan
3 wus
3 klog
3 create
3 crush
3 snif
3 ras2xm
3 sourcemask

server:/dev# cat xdta
1 194.102.123.240
1 194.102.123.241
1 194.102.123.239
1 194.102.123.238
1 194.102.123.237
1 hobbiton.org
2 hobbiton.org
3 59311
3 59388
3 31471
3 51211
3 51212
3 51213
3 51214
4 6660
4 6666
4 6667
4 6668
4 6669
4 7000
4 31337
4 5555
4 31336

server:/dev#
----------------------------

The IP 194.102.123.237-241 is a Computer Club (Internet Cafe like) in
Timisoara, Romania.

Another fun detail was that with the hacker tools came two core-dump
files containing the ENV of the conputers they where run on.

i686 ./scan 148 111 243 USERNAME=root ENV=/root/.bashrc HISTSIZE=1000
HOSTNAME=pirates.crsc.k12.ar.us LOGNAME=root HISTFILESIZE=1000
SSH_TTY=/dev/pts/0 MAIL=/var/spool/mail/root TERM=xterm HOSTTYPE=i386
PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin HOME=/root
INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
SSH_CLIENT=194.102.224.92 1380 5139 OSTYPE=Linux SHLVL=2 _=./scan

i686 ./ben 128.97.6.184 LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=root ENV=/root/.bashrc HISTSIZE=1000 HOSTNAME=jun-zhi.com.tw
LOGNAME=root SSH_TTY=/dev/pts/4 MAIL=/var/spool/mail/root TERM=xterm
HOSTTYPE=i386
PATH=/usr/kerberos/bin:/usr/bin:/bin:/usr/bin:/usr/X11R6/bin:/root/bin
KDEDIR=/usr HOME=/root INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
QTDIR=/usr/lib/qt-2.1.0 LANG=en_US SSH_CLIENT=194.102.123.231 1189 3
OSTYPE=Linux _=./ben SHLVL=2

The IP 194.102.224.92 is located somewhere in BOTOSANI, Romania.

Summary:

 Okay. I don't have a chance framing someone for this. And I don't
 know if I want to. I have had some fun days playing and searching all
 over the net for clues. And thought that I would be fun to write a
 (long) posting to this newsgroup about it.

I would love some input from you all about this, I could not find any
info about the files. I found some old usenet postings on Japanese
about the file ras2xm but thats all. Is this a worm or a hacker?

Regards, Fredrik Bergström.



Relevant Pages

  • Any workarounds for Verisign .com/.net highjacking?
    ... in them to operate a root name server, ... to disregard these wildcard A records, short of requesting zone ... These things are fun, and fun is good. ...
    (freebsd-hackers)
  • RFX Networks/ RackAdmin.com ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (comp.os.linux)
  • RFX NETWORKS ALERT
    ... below was posted to some security websites. ... | in security and scalable server management on varying levels. ... Got Root? ... Your Server login ID is: ...
    (alt.linux)
  • Solaris Sparc 9 12/3 Core ./installer failing due Java?
    ... system SUNWadmr System & Network Administration Root ... system SUNWapchd Apache Web Server Documentation ... system SUNWapchu Apache Web Server (usr) ... system SUNWaudd Audio Drivers ...
    (comp.unix.solaris)
  • core install of Solaris 9 (sparc) package list can be trimmed ?
    ... This is a server that will have very specific reasons ... system SUNWadmr System & Network Administration Root ... system SUNWeu8os American English/UTF-8 L10N For OS Environment User Files ... system R SUNWfcip Sun FCIP IP/ARP over FibreChannel Device Driver ...
    (comp.unix.solaris)