Re: Found, a new rootkit
- From: "Michael H. Warfield" <mhw@xxxxxxxxxxxx>
- Date: Fri, 31 Mar 2006 13:31:10 -0500
On Fri, 2006-03-31 at 13:02 -0500, Gene Heskett wrote:
Greetings folks;
In doing some checking of a web server, we found an irc port open on
31377, one of the black hatters favorites. A port that portsentry was
supposed to be rejecting but wasn't.
We stumbled over several items over the last few days, but the most
obvious one was a directory called .sk, located in /usr/share/misc.
Your subject says "new rootkit" but you haven't said anything about a
"root kit" per se, just a backdoor. That ".sk" directory could be
(sounds like) the SK rootkit but I would not have expected you to find
it so easily (unless you used something like chrootkit or rkhunter).
If you haven't run them, run both chrootkit and rkhunter and let us
know what they turn up. They will identify, by name, rootkits they
find. If you turned that rootkit so easily, it's entirely possible that
you've still got a rootkit on there that IS effectively hiding itself
(essence of a rootkit is "stealth", not just hiding in a . directory).
Both are available in FC Extras. I can highly recommend them both.
Its payload seemed fairly simple, to make an underground irc chat server--
out of the box.
It does this with a shell script that echos several kilobytes of octal
strings to gzip in the unpack mode > to a file in the local directory
called .sk, and it contains a login replacement also. We did not find
that login was the one installed however. Which may be a clue that
theres even more smoke in this camp than what we've found yet.
The execution installs it by cp .sk /usr/bin/apmd, but puts it
in /usr/bin as opposed to the real apmd's location of /usr/sbin, and
adds a starter line so its enabled on boot to something we haven't
found yet. It also appears to start a third instance of portsentry
somehow.
We've cut our bandwidth use in half by getting rid of that. We also
checked the logs and added several dozen more addresses
to /etc/hosts.deny, including many script based password guess attempts
that didn't get in. And put portsentry in its most paranoid anal mode
with a few additions yet.
Just thought everybody would like to know about this bit of black hat
tomfoolery.
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- Follow-Ups:
- Re: Found, a new rootkit
- From: Jacques B.
- Re: Found, a new rootkit
- References:
- Found, a new rootkit
- From: Gene Heskett
- Found, a new rootkit
- Prev by Date: Re: firefox problem
- Next by Date: Re: firefox problem
- Previous by thread: Re: Found, a new rootkit
- Next by thread: Re: Found, a new rootkit
- Index(es):
Relevant Pages
|
