t0rn, backdoors and a busy cracker.

[labrat () INTERROREM COM (Russ Spooner)]

After investigating an recent incident, I thought I would share this
with the list.

After using a bind exploit, our friendly cracker installed an
interesting rootkit: "t0rn", which compises password sniffers, log
cleaners, The Standard Replacement Binaries and also a couple of
interesting backdoor programs.

I seem to remember this particular rootkit having been discussed on the
list, so I won't bore you with the details too much.

The cracker's MO seems to be that he/she will gain entry and then
proceed to patch the vulnerabilies exploited to gain entry.

The cracker targets linux machines.

"ls" and "find" are hacked to mask certain files that have been created
on the machine.

However key files to look for are (using locate, if you have it
installed):

"t0rnsniff"
"t0rnparse"
"in.inetd"
"in.amqd"

to name just a few.

The backdoor programs are of more interest, both of them will be hidden
by ps, but should still be visible by using "top".

"in.amqd", a hacked version of "sshd", will bind to port 47017
"in.inetd" is something called "leeto's socket demon" which binds to
port 511.

Both of these get installed by the cracker.

After the intrusion was repaired, a little logging program which binds
to these specific ports was installed, and we have identified 6 discrete
IP adresses from which the cracker has been attempting to access the
backdoors.

Each of these adresses respond on ports 511 and 47017, consistent with
the backdoor being installed.

This is all pretty standard stuff, but what is "leeto's socket demon"?

I have looked through the binary to see what it seems to do...

However, connecting to it seems to require a specific kerberized client.

Russ Spooner

--
===============================================
Interrorem LTD -> Network Security Specialists
http://interrorem.com
Security News and Info
===============================================