Re: ssh 1.2.1 Root compromise

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 03/28/02

  • Next message: Matthias Wulkow: "Re: mail and openssl - tsl"

    From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
    Date: Thu, 28 Mar 2002 20:39:32 +0000 (UTC)
    
    

    < Tim Tassonis
    8<
    >ldd snif actually reports:
    >/usr/bin/ldd: no such file or directory

    If you really did `cd /usr/info/emacx-1.gz/.qzq/;ldd snif`, ldd maybe
    trojaned version and hided snif. /dev/ttyo* has not 'snif' entry.
    This mean there are another rootkit configuration file or hard coded
    'snif' string in ldd. This can investigate `strings ldd|grep snif`.

    >After looking into this with strace, the reason is a missing:
    >/usr/share/locale/en_US/LC_MESSAGES/libc.mo

    libc.mo seems like trojaned version of shared library libc. Is there
    /etc/ld.so.preload file and libc.mo file somewhere? Or /etc/ld.so.*
    are tampered. This can investigate `echo $LD_PRELOAD $LD_LIBRARY_PATH`,
    `ldconfig -p`.

    >A lot of lines look similar to this:
    >193.170.255.26 => 194.6.179.3 [21]
    >193.170.255.26 is at the left side 16 times.

    If above is not your IP, perhaps it's intruders IP or FTP proxy, FTP
    bouncer or local port to remote port redirector (or eggdrop?) is
    running.

    -- 
    Best Regards, RainbowHat. I support FULL DISCLOSURE.
    ----+----1----+----2----+----3----+----4----+----5----+----6----+----7