Re: strange telnet behavior

[Vladimir Ivaschenko <hazard () francoudi com>]

Pavel Kankovsky wrote about "Re: strange telnet behavior":

> On Mon, 18 Feb 2002, Vladimir Ivaschenko wrote:
>
> > _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) 
>                                            ^^^^^^^^^
> > Red Hat Linux release 7.1 (Seawolf)
> > Kernel 2.4.2-2 on an i586
>          ^^^^^^^
> Hmm...interesting. Also, you said you ran RH 7.0, not 7.1?

Well, this is output of telnet on a remote machine. :)

> > open("/etc/ld.so.preload", O_RDONLY)    = 3
>
> Most systems do not have ld.so.preload.

And that looks to be it! I cannot find file /etc/ld.so.preload on
that machine (remote login via ssh). As well, if you look at the
strace it also loads "/lib/libshow.so.0.9.5", which is also
invisible to programs running on that machine.

Unfortunately I'm in another place now and the admin guy there is
not qualified enough to perform any analysis. I will try get my
hands on it as soon as possible.

I should have better looked at the beginning of strace...

> Your machine's kernel has probably been tampered with. Or some core
> libraries. Or /etc/ld.so.preload (I recall there is a rootkit using this
> method to control all (dynamically linked) programs out there.)

What is interesting, according to RPM MD5 for everything is
correct.. So unless they tampered with RPM database, most
probably it is in /etc/ld.so.preload.

-- 
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com