looks like a worm to me.

From: Fredrik Bergström (fredrik.bergstrom@cetevo.com)
Date: 12/20/01

From: fredrik.bergstrom@cetevo.com (Fredrik Bergström)
Date: Thu, 20 Dec 2001 13:38:38 GMT


Some days ago when I logged into one of my servers, just to make some
small adjustments to a database. I to my surprise found that I could
not login as root.

Strange I thought, and called my friend who also have root access, but
he had not changed the root password.

A cold feeling swept down my back, and lots of C code scrolled by my
eyes. This server was set up for reinstallation some weeks ago, but I
had not come around doing that. And it was a standard Slackware 7
installation with about 11 months of playing around with different
server softwares.

I ran a 'ps ax' but found nothing special, or wait a minute, the list
was quite short for this machine. Its usually lots of processes going.
I went into /etc and after running "ls -ltr" (large, time, reverse) I
found that the files host, ftpaccess, ftpusers, shadow, inetd.conf was
changed on the same date and time. A file rc.d/rc.sysinit was allso

Since I was not root, I could not find anything more because all those
files was root.root . I waited some hours, and then I got cold feet.
I took the bus to the server room where the server is located, and
'linux init=/bin/bash rw' on lilo's ass. An 'passwd' and 'sync' later
I had a new root password.

Okay, looking around the system now I found that the commands ps, ls,
netstat, named, inetd, crond and a couple more was modified.

With the ps out of order I ran a 'cat /proc/*/stat' to see what
processes the machine was running. The commands 'snif' and 'ras2xm'
looked a bit interesting, and so I hurried to shut them down.

Back to the /etc/rc.d/rc.sysinit file, this file did not have the +x
flag set, and therefore slackware did not run it on boot.
Good thing, this file contained one row '/usr/bin/sourcemask'.

# cat /usr/bin/sourcemask
cd /usr/man/man1/".. "/.dir
./snif >chipsul &
/usr/bin/ras2xm -p 5139 -q

The sourcemask script starts the sniffer and the other ( possible
scanning tool? ) I could not find any info anywhere about those
programs or their uses, and I dare not to run them outside a
controlled environment.

To continue, now I had found all the stuff. Or so I thought. The
/usr/man/man1/".. "/.dir did contain tools to backdoor and
bufferoverflow sshd, bind and wuftpd servers and other hacking stuff.

I searched a bit on the net, and found a nice thought about running
'find / -nouser -o -nogroup' to find suspicious files on the server.
And of it went, and it found a couple of files and one directory in

/dev/ttyp/ contained two directories '.backup' and 'other'. .backup
had my
old version of ps, ls, inetd, inetd.conf, named and netstat. And the
'other' directory contained two scripts that seemed to configure the
appearance of the hacked ls, ps and netstat commands.

The fun in this was that /dev also contained some other files with
some fun information inside:

server:/dev# cat hdbp
2 sh
2 in.telnetd
3 rpc.rusers
3 mdump
3 chgrp
3 cron

server:/dev# cat hdaq
3 45050
3 31083

server:/dev# cat hdap

server:/dev# cat xmx
3 in.rexedcs
3 defauths dcs
3 defauths
3 rdcmound
3 rdcbac
3 w
3 s
3 psy
3 bot
3 scan
3 wus
3 klog
3 create
3 crush
3 snif
3 ras2xm
3 sourcemask

server:/dev# cat xdta
1 hobbiton.org
2 hobbiton.org
3 59311
3 59388
3 31471
3 51211
3 51212
3 51213
3 51214
4 6660
4 6666
4 6667
4 6668
4 6669
4 7000
4 31337
4 5555
4 31336


The IP is a Computer Club (Internet Cafe like) in
Timisoara, Romania.

Another fun detail was that with the hacker tools came two core-dump
files containing the ENV of the conputers they where run on.

i686 ./scan 148 111 243 USERNAME=root ENV=/root/.bashrc HISTSIZE=1000
HOSTNAME=pirates.crsc.k12.ar.us LOGNAME=root HISTFILESIZE=1000
SSH_TTY=/dev/pts/0 MAIL=/var/spool/mail/root TERM=xterm HOSTTYPE=i386
PATH=/usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin HOME=/root
INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
SSH_CLIENT= 1380 5139 OSTYPE=Linux SHLVL=2 _=./scan

i686 ./ben LESSOPEN=|/usr/bin/lesspipe.sh %s
USERNAME=root ENV=/root/.bashrc HISTSIZE=1000 HOSTNAME=jun-zhi.com.tw
LOGNAME=root SSH_TTY=/dev/pts/4 MAIL=/var/spool/mail/root TERM=xterm
KDEDIR=/usr HOME=/root INPUTRC=/etc/inputrc SHELL=/bin/bash USER=root
QTDIR=/usr/lib/qt-2.1.0 LANG=en_US SSH_CLIENT= 1189 3
OSTYPE=Linux _=./ben SHLVL=2

The IP is located somewhere in BOTOSANI, Romania.


 Okay. I don't have a chance framing someone for this. And I don't
 know if I want to. I have had some fun days playing and searching all
 over the net for clues. And thought that I would be fun to write a
 (long) posting to this newsgroup about it.

I would love some input from you all about this, I could not find any
info about the files. I found some old usenet postings on Japanese
about the file ras2xm but thats all. Is this a worm or a hacker?

Regards, Fredrik Bergström.