Found, a new rootkit

From: Gene Heskett <gene.heskett@xxxxxxxxxxx>
Date: Fri, 31 Mar 2006 13:02:41 -0500

Greetings folks;

In doing some checking of a web server, we found an irc port open on
31377, one of the black hatters favorites. A port that portsentry was
supposed to be rejecting but wasn't.

We stumbled over several items over the last few days, but the most
obvious one was a directory called .sk, located in /usr/share/misc.

Its payload seemed fairly simple, to make an underground irc chat server
out of the box.

It does this with a shell script that echos several kilobytes of octal
strings to gzip in the unpack mode > to a file in the local directory
called .sk, and it contains a login replacement also. We did not find
that login was the one installed however. Which may be a clue that
theres even more smoke in this camp than what we've found yet.

The execution installs it by cp .sk /usr/bin/apmd, but puts it
in /usr/bin as opposed to the real apmd's location of /usr/sbin, and
adds a starter line so its enabled on boot to something we haven't
found yet. It also appears to start a third instance of portsentry
somehow.

We've cut our bandwidth use in half by getting rid of that. We also
checked the logs and added several dozen more addresses
to /etc/hosts.deny, including many script based password guess attempts
that didn't get in. And put portsentry in its most paranoid anal mode
with a few additions yet.

Just thought everybody would like to know about this bit of black hat
tomfoolery.

--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Follow-Ups:
- Re: Found, a new rootkit
  - From: Michael H. Warfield
- Re: Found, a new rootkit
  - From: John Wendel

Prev by Date: Re: cpio copy linux installation (FC3)?
Next by Date: Re: newbie: howto install mplayer codecs
Previous by thread: isapnp?? Is this the ah-ha moment??
Next by thread: Re: Found, a new rootkit
Index(es):
- Date
- Thread

Relevant Pages

Re: Found, a new rootkit
... In doing some checking of a web server, we found an irc port open on 31377, one of the black hatters favorites. ... The execution installs it by cp .sk /usr/bin/apmd, but puts it in /usr/bin as opposed to the real apmd's location of /usr/sbin, and adds a starter line so its enabled on boot to something we haven't found yet. ... It also appears to start a third instance of portsentry somehow. ...
(Fedora)
Re: Found, a new rootkit
... one of the black hatters favorites. ... the SK rootkit but I would not have expected you to find ... It also appears to start a third instance of portsentry ... Copyright 2006 by Maurice Eugene Heskett, ...
(Fedora)
Re: configuring iptables
... to set up iptables without using an extra program like this. ... and was for me when I first set it up back in 2001. ... I also use tcpwrappers and portsentry. ... Copyright 2006 by Maurice Eugene Heskett, ...
(Fedora)
Re: Found, a new rootkit
... A port that portsentry was ... supposed to be rejecting but wasn't. ... Why would your web server be write-able? ...
(Fedora)
Re: Blocking Ip address ranges
... > bought up and licensing issues ensued. ... but only logcheck and portsentry have ... so it was a known address to the router. ... Copyright 2005 by Maurice Eugene Heskett, ...
(Fedora)