Security Incidents mailing list archives

Re: LJK2 rootkit?

From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Tue, 16 May 2000 19:43:52 -0400

1 212.204

Hide all connections to 212.204.0.0 through 212.204.255.255

1 62.236

Hide all connections to 62.236.0.0 through 62.236.255.255

2 212.204

Hide all connections from 212.204.0.0 through 212.204.255.255

2 62.236

Hide all connections from 62.236.0.0 through 62.236.255.255

3 76335

Provide a root shell on port 76335.

4 76335

Hide all connections to port 76335.

4 6667

Hide all connections to port 6667 (IRC).

4 5556

Hide all connections to port 5556.

4 6666

Hide all connections to port 6666.

4 6664

Hide all connections to port 6664.

4 6668

Hide all connections to port 6668.

3 60569

Provide a rootshell on port 60569.

4 60569

Hide all connections to port 60569.

2 213.48

Hide all connections from 213.48.0.0 through 213.48.255.255

2 210.225

Hide all connections from 210.225.0.0 through 210.225.255.255

3 4103

Provide a rootshell on port 4103.

next file:
[root@machine]# cat .LJK2/hide/.RK1log
RK1

Hide any message containing the string 'RK1' from syslog output.

.LJK2

Hide any message containing the string '.LJK2' from syslog output.

synscan

Hide any message containing the string 'synscan' from syslog output.

Hide any message containing the string '76335' from syslog output.

212.204

Hide any message containing the string '212.204' from syslog output.

195.114

Hide any message containing the string '195.114' from syslog output.

62.236

Hide any message containing the string '62.236' from syslog output.

204.29

Hide any message containing the string '204.29' from syslog output.

rpmrhup

Hide any message containing the string 'rpmrhup' from syslog output.

rhxclean

Hide any message containing the string 'rhxclean' from syslog output.

Hide any message containing the string '60569' from syslog output.

next:
[root@machine]# cat .LJK2/hide/.RK1dir
libmen.oo

Hide filename 'libmen.oo' from 'ls' output.

.LJK2

Hide filename '.LJK2' from 'ls' output.

rc.sysinit

Hide filename 'rc.sysinit' from 'ls' output.

lockit25.tgz

Hide filename 'lockit25.tgz' from 'ls' output.

lockit25.tar

Hide filename 'lockit25.tar' from 'ls' output.

lockit25.tar.gz

Hide filename 'lockit25.tar.gz' from 'ls' output.

lockit

Hide filename 'lockit' from 'ls' output.

and:
[root@machine]# less .LJK2/hide/.RK1proc
2 synscan

Hide filename 'synscan' from 'ps' output.

3 RK1

I'm not sure what this line means.

2 rpmrhup

Hide filename 'rpmrhup' from 'ps' output.

2 rhxclean

Hide filename 'rhxclean' from 'ps' output.

3 sshd

I'm not sure what this line means.

IP Networks Most Likely Involved:

1) 212.204.0.0/19
% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     212.204.0.0 - 212.204.2.255
netname:     ENKOM-AVUNET
descr:       The ENKom GmbH is an ISP situated in Gevelsberg serving the EN-Region.
country:     DE
admin-c:     PLS4-RIPE
tech-c:      PB348-RIPE
status:      ASSIGNED PA
notify:      buhrmann () networkers de
changed:     hostmaster () ripe net 19980309
source:      RIPE

route:       212.204.0.0/19
descr:       ENKom GmbH, Gesellschaft fuer Telekommunikation
descr:       via Deutsche Telekom AG
origin:      AS3320
mnt-by:      DTAG-RR
changed:     mbt () nic dtag de 19980519
source:      RIPE

person:      Peter Ludwig Spangenberg
address:     ENKom GmbH
address:     Muehlenstr. 49
address:     D-58285 Gevelsberg
address:     Germany
phone:       +49 2332 73 187
fax-no:      +49 2332 73 186
e-mail:      tpp () avu de
nic-hdl:     PLS4-RIPE
notify:      guardian () xlink net
mnt-by:      XLINK-MNT
changed:     mlelstv () xlink net 19970423
changed:     mwiry () xlink net 19990114
source:      RIPE

person:      Peter Buhrmann
address:     Networkers GmbH
address:     Feithstr. 142
address:     D-58097 Hagen
address:     GERMANY
phone:       +49 233 180950
fax-no:      +49 233 1809513
e-mail:      buhrmann () networkers de
nic-hdl:     PB348-RIPE
mnt-by:      MKNET-MNT
changed:     buhrmann () networkers de 19980619
changed:     auto-direct () denic de 19990308
changed:     krauss () networkers de 19990623
source:      RIPE

2) 62.236.0.0/16
% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     62.236.0.0 - 62.236.32.255
netname:     TELIAFI-NET
descr:       Telia Finland
descr:       Service network
country:     FI
admin-c:     JM289-RIPE
tech-c:      JM289-RIPE
tech-c:      VR67-RIPE
tech-c:      JT35-RIPE
tech-c:      PJJ1-RIPE
status:      ASSIGNED PA
mnt-by:      AS6793-MNT
changed:     jorma.mellin () teliafi net 19980423
changed:     jorma.mellin () teliafi net 19980424
source:      RIPE

route:       62.236.0.0/16
descr:       TELIAFI-BLK
origin:      AS6793
notify:      hostmaster () teliafi net
mnt-by:      AS6793-MNT
changed:     jorma.mellin () teliafi net 19980204
source:      RIPE

person:      Jorma Mellin
address:     Telia Finland Oy
address:     Myyrmaentie 2
address:     FI-01600 Vantaa
address:     Finland
phone:       +358 303 994 762
phone:       +358 41 500 4762
fax-no:      +358 303 994 700
e-mail:      jorma.mellin () teliafi net
nic-hdl:     JM289-RIPE
notify:      jorma.mellin () teliafi net
changed:     jorma.mellin () ivo fi 19960925
changed:     jorma.mellin () telivo net 19970403
changed:     jorma.mellin () teliafi net 19971003
changed:     jorma.mellin () teliafi net 19980928
source:      RIPE

person:      Vesa Ruokonen
address:     Telia Finland
address:     Myyrmaentie 2 B
address:     FI-01600 Vantaa
address:     Finland
phone:       +358 303 994 763
fax-no:      +358 303 994 700
e-mail:      ruokonen () teliafi net
nic-hdl:     VR67-RIPE
notify:      ruokonen () teliafi net
changed:     jorma.mellin () telivo fi 19970403
changed:     ruokonen () teliafi net 19971015
changed:     ruokonen () teliafi net 19980930
source:      RIPE

person:      Jan Tamlander
address:     Telia Finland
address:     Myyrmaentie 2 B
address:     FI-01600 Vantaa
address:     Finland
phone:       +358 303 994 735
phone:       +385 40 514 9627
fax-no:      +385 303 994 700
e-mail:      jan.tamlander () telia fi
nic-hdl:     JT35-RIPE
notify:      jan.tamlander () telia fi
changed:     jan.tamlander () ivo fi 19961119
changed:     ruokonen () teliafi net 19971016
source:      RIPE

person:      Petri Jokela
address:     Telia Finland Oy
address:     Myyrmaenkatu 2 B
address:     FIN-01600  VANTAA
address:     Finland
phone:       +358 303 994 732
phone:       +358 41 500 4732
fax-no:      +358 303 994 700
e-mail:      Petri.Jokela () telia fi
nic-hdl:     PJJ1-RIPE
notify:      Petri.Jokela () telia fi
changed:     jh () funet fi 19930414
changed:     Jyrki.Soini () funet fi 19940303
changed:     Petri.Jokela () telivo net 19970528
changed:     Petri.Jokela () telia fi 19971015
changed:     Petri.Jokela () telia fi 19981120
source:      RIPE

3) 213.48.0.0/24
% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     213.48.0.0 - 213.48.0.255
netname:     SE-MODEMS-CI
descr:       SOUTH EAST MODEMS
country:     GB
admin-c:     MG645-RIPE
tech-c:      MG645-RIPE
status:      ASSIGNED PA
changed:     mike () cableinet net 20000131
source:      RIPE

person:      Mike Garrett
address:     Cable Internet Ltd.
address:     Unit 2, Genesis Busines Park
address:     Woking, Surrey
address:     GU21 5RW
phone:       +44 1483 251 842
fax-no:      +44 1483 251 810
e-mail:      Mike () cableinet net
nic-hdl:     MG645-RIPE
changed:     mike () cableinet net 19971112
source:      RIPE

4) 210.225.0.0/16
[ JPNIC database provides information on network administration. Its use is   ]
[ restricted to network administration purposes. For further information, use ]
[ 'whois -h whois.nic.ad.jp help'. To suppress Japanese output, add '/e' at   ]
[ the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'.                  ]

Network Information:
a. [Network Number]             210.225.0.0
b. [Network Name]               SUBA-131-971
g. [Organization]               Open Computer Network
j. [Address]                    Tokyo Opera City Tower 21F,
                                3-20-2 Nishi-shinjuku, Shinjuku-ku,
                                Tokyo 163-14, Japan
m. [Administrative Contact]     SY615JP
n. [Technical Contact]          MO081JP
n. [Technical Contact]          YK526JP
n. [Technical Contact]          KK551JP
n. [Technical Contact]          TA221JP
p. [Nameserver]                 pns.ocn.ad.jp
p. [Nameserver]                 ns-os001.ocn.ad.jp
y. [Reply Mail]                 db-admin () ocn ad jp
[Assigned Date]                 1998/05/14
[Return Date]
[Last Update]                   1998/10/15 15:16:36 (JST)
                                ip-alloc () nic ad jp
--------

Asahikawa Fuji Girls' High Sch
         FUJI-SYSTEM [210.225.0.0 <-> 210.225.0.15]             210.225.0.0/28
Takahashi-Shinbunten Limited Company
           ORAGA-NET [210.225.0.16 <-> 210.225.0.31]           210.225.0.16/28
Gohuku Service Limited Company
              BBSNET [210.225.0.32 <-> 210.225.0.47]           210.225.0.32/28
(Sato, Hiroki)
         HIROKI-SATO [210.225.0.48 <-> 210.225.0.55]           210.225.0.48/29
Meiji Consultant Co.,Ltd.
        MEICONSAPSYS [210.225.0.64 <-> 210.225.0.79]           210.225.0.64/28
Dourokougyou Corporation
            DOKO-NET [210.225.0.80 <-> 210.225.0.87]           210.225.0.80/29
Miyasaka Construction Corporation
            MIYASAKA [210.225.0.88 <-> 210.225.0.95]           210.225.0.88/29
Dotokaihatsusekkei Corporation
            DOTO-NET [210.225.0.112 <-> 210.225.0.127]        210.225.0.112/28
Hokkaido Chitose Hokuyo High S
          HOKUYO-SYS [210.225.0.128 <-> 210.225.0.143]        210.225.0.128/28
SHAMROCK CO.,LTD.
        SHAMROCK-SYS [210.225.0.144 <-> 210.225.0.159]        210.225.0.144/28
Shield Org.
          SHIELD-NET [210.225.0.160 <-> 210.225.0.175]        210.225.0.160/28
Hybrid.Service Co.,Ltd.
              H3-NET [210.225.0.176 <-> 210.225.0.191]        210.225.0.176/28
NTT Telecom Engineering Hokkaido
        YUME-CHITOSE [210.225.0.192 <-> 210.225.0.199]        210.225.0.192/29
Telecommunications Advancement
         CHITOSE-TAO [210.225.0.208 <-> 210.225.0.223]        210.225.0.208/28
Theon Corporation
           THEON-NET [210.225.0.240 <-> 210.225.0.255]        210.225.0.240/28

5) 195.114.0.0/19
% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:     195.114.0.0 - 195.114.3.255
netname:     ISNET-SK
descr:       Internet Systems, Inc.
descr:       General commercial internet service provider
descr:       Kutuzovova 17, 831 03 Bratislava
descr:       Slovakia
country:     SK
admin-c:     PH261-RIPE
tech-c:      RS292-RIPE
status:      ASSIGNED PA
changed:     hostmaster () ripe net 19960820
source:      RIPE

route:       195.114.0.0/19
descr:       Internet Systems, Inc.
origin:      AS6750
mnt-by:      AS6750-MNT
changed:     hudak () euba sk 19960903
source:      RIPE

person:      Peter Hudak
address:     EuroTel Bratislava Ltd.
address:     P.O.Box 54, Bajkalska 24
address:     Bratislava
address:     830 08
address:     Slovakia
phone:       +421 7 49553514
e-mail:      domeny () eurotel sk
nic-hdl:     PH261-RIPE
changed:     hudis () eurotel sk 19990927
changed:     scensnyj () eurotel sk 20000307
source:      RIPE

person:      Richard Stilicha
address:     INTERWAY s.r.o.
address:     Hatalova 12
address:     831 03 Bratislava
address:     Slovakia
phone:       +42 7 525 87 35
fax-no:      +42 7 525 87 35
e-mail:      stilicha () interway sk
nic-hdl:     RS292-RIPE
changed:     tps () tps sk 19980127
source:      RIPE

To pursue the attackers, your best points of contact would be:
1) ENKom GmbH
   Peter Ludwig Spangenberg - tpp () avu de

2) Networkers GmbH
   Peter Buhrmann - buhrmann () networkers de

3) Telia Finland
   Jorma Mellin - jorma.mellin () teliafi net
   Vesa Ruokonen - ruokonen () teliafi net
   Jan Tamlander - jan.tamlander () telia fi
   Petri Jokela - Petri.Jokela () telia fi

4) Cable Internet Ltd.
   Mike Garrett - Mike () cableinet net

5) NTT Communications Corporation
   Shogo Yokoi - s-yokoi () ntt ocn ne jp
   Masaya Okada - okada () ntt ocn ne jp
   Yasushi Kawaguchi - kawaguti () ocn ad jp
   Kazuhiro Kitamura - kitamura () ocn ad jp
   Takashi Arano - arano () byd ocn ad jp

This was somewhat of a quick and sloppy e-mail, take caution.

Don't rely solely on this piece of information, take further steps to
secure your network, and if necessary watch all traffic between that
machine and the rest of the network to view further attempts of reentry.

Could you also forward me the BIND logs (primarily the lame messages) that
were written the night of the intrusion?

--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+

Current thread:

IP Black list - GET REAL, (continued)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
  - Re: IP Black list? jms (May 14)
    - Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
  - You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? Mike Shannon (May 15)
  - LJK2 rootkit? Felix Schueren (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 16)
    - IP blacklists phi-incident () EXORSUS NET (May 16)
    - Re: LJK2 rootkit? Omachonu Ogali (May 16)
    - Re: LJK2 rootkit? Jose Nazario (May 18)
    - Re: LJK2 rootkit? Omachonu Ogali (May 18)
    - Re: LJK2 rootkit? Jens Hektor (May 17)
    - Re: LJK2 rootkit? Egon Barfu� jun. (May 17)
    - Korea Damian Gerow (May 17)
  - Re: IP Black list? Ryan Russell (May 16)
    - Re: IP Black list? Tabor J. Wells (May 16)
- Re: IP Black list? Luff, Darryl (May 15)
  - Re: IP Black list? Michael Damm (May 15)
    - Re: IP Black list? jms (May 15)

(Thread continues...)