We had two machines taken out, both running Redhat 6.1.
The cracker did the following things:
Modified login, ps, ls, who, w, $PATH, netstat, lsof (to put sbin in
first) [Maybe some more modifications as well--being told to do nothing
for ten hours and then do an analysis is not good for the analyser].
Linked /root/.bash_history to /dev/null.
Changed permissions on the above files, as well as made
/etc/rc.d/rc.sysinit non-executable.
Installed rtty, cons.saver, ssh[trojan], gib[Perl script to open random
ports], pback, a file called ..{6 nonviewable characters]belina in
/usr/local/man/man1,/dev/hd10, a couple more entries in /dev.
nas, jcd, qmgr and auds were installed.
tar was modified on one of the machines, but not the other.
The date on sshd was August 30, the date on the ssh-client and keygen
was June 15
I had no backup disks (and still have none :() on which to dump the
contents of the disk for forensic analysis, so I can't provide the
files for analysis. [Of course, the data is backed up]
Opened ports 22/tcp, 996/tcp, 12213/tcp, 18186/tcp, 18666/tcp.
The machine is rebuilt, so I can't find out which other files were
modified.
Also, the machines being production machines, I couldn't even mount the
disks ro (mail servers), so I can't analyse the logs.
Does anyone know of a toolkit that does this? Particularly the changed
dates.
A google search and a securityfocus search have turned up nothing.
Devdas Bhagat
--
I'm going to Boston to see my doctor. He's a very sick man.
-- Fred Allen
Received on Dec 12 2000
Intro
