Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: A friend's cable modem Linux machine just got compromised
From: "Jason Robertson" <jason () ifuture com>
Date: Wed, 1 May 2002 12:11:21 -0400
This seems to be the same version of the Sun r00tkit attack I
mentioned.. It seems to be a modified t0rnkit, that uses files like
/tmp/x for xinetd, and xntps on the sun box was a mstream client if I
remember. It comes from a script kiddiez group on ircnet, and it's
something like X-ORG.  There was a writeup of it on the honeynet
project page.. scan 20..

Jason

On 1 May 2002 at 3:18, Sam Trenholme wrote:

Date sent:              Wed, 1 May 2002 03:18:57 -0500 (CDT)
From:                   Sam Trenholme <abiword_bugs () yahoo com>
Subject:                A friend's cable modem Linux machine just got
compromised
To:                     incidents () securityfocus com


Hello there,

A friend's cable modem linux machine was very recently
compromised; the attackers obtained root access on the
machine and modified certain system binaries in an
attempt to hide their tracks.

Anyway, it looked liked the were hiding a program
called 'xntps'.  In addition, they had a modified
md5sum which would generate bogus sums for the
trojaned system files.

I did not have an oppertunity to perform a full
post-mortem system audit--the person is 300 miles away
and my first priority was to get him to get off the
'net and reinstalling his system.  However, I was able
to download the trojaned 'md5sum' and 'xntps' files.

While studying Linux binaries without source is beyond
my feeble abilities, I have determined that the
modified md5sum binary attempts to read the file
/dev/srd0 and write to the file /tmp/behsdf; I suspect
the "bugus" sums are in /dev/srd0.

The system was a default rh7.1 install; I suspect that
they got in via the wu-ftpd globbing exploit.

Friends don't let friends run wu-ftpd.

- Sam


_________________________________________________________
Do You Yahoo!?
La emociĆ³n e intensidad del deporte en Yahoo! Deportes. http://deportes.yahoo.com.mx

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





--
Jason Robertson
Network/Security Analyst
jason () ifuture com
http://www.ifuture.com, http://www.astroadvice.com,
http://www.astroeast.com
Also if you are looking for an employee, I may be available soon, so
feel free to
contact me for my resume.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]