RE: hpd, afb, sc, and sn

["Bojan Zdrnja" <Bojan.Zdrnja () FER hr>]

> -----Original Message-----
> From: Gordon Chamberlin [mailto:glac () visualize com] 
> Sent: 20. prosinac 2002 22:12
> To: incidents () securityfocus com
> Subject: hpd, afb, sc, and sn
>
>
> The contents of hpd are:
> #!/bin/sh
> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null 
> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

Rootkit doesn't seem familiar to me, but this is almost certanly some
backdoor service listening at port 7000 (-p flag), which your nmap
showed later.
You can maybe try telneting to localhost port 7000 to see what banner
you get.

> According to an rpm -V, all kinds of binaries have been 
> changed: ps, top, netstat, ifconfig, ...
>
> I copied a good version of ps in and found the two afb 
> processes running.

Well, if you didn't see afb processes before (with old ps), your machine
is 100% compromised with binaries of common utilities changed.

> Anyone know about this hack, what afb does and/or how they 
> usually get in?

If you can post those files people can analyze them.
In any case, I'd suggest making image of machines HDD (for later
analysis) and reinstalling everything from the scratch as it's pretty
obvious someone started rootkit on it.
Also, you can try starting chrootkit on your machine to see what output
you'll get.
Latest version was released yesterday (v0.38) so I'd suggest download of
it and running it on compromised machine:

http://www.chkrootkit.org/

Best regards,

Bojan Zdrnja


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com