My guesses are:
* Sniffer log daemon - there are many variants on this. The basic concept is
that
an attacker will install sniffers on multiple different machines, and as
opposed to
having them log locally, it sends the logs to a centralized host, where said
attacker
grabs them from at a later date. Same idea as why we invented the television
remote
control (general lazyness)
* ICMP based shell tool with udp data stream.
* UDP only based shell backdoor that expects a crypt() based password, and
"aIf3YWfOhw.V." is the crypt based passwd.
* UDP named vulnerability scanner (ns.tgz - available from rootshell.com)
I would look for "*.log" in the same areas of the filesystem in which you
found
the binary. This program, by default, scans other nets for named
vulnerabilities.
While you're at it, I would compare the version of named running on the host
to the versions indicated vulnerable in ns.tgz
-----Original Message-----
From: Dominick Glavach <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, August 24, 1999 7:23 PM
Subject: incident recovery
>This is slightly off-topic so cross post if necessary.
>
>When performing an incident recovery for company XYZ, I found the following
>in root's crontab: * * * * * /usr/sbin/ns.
>
>This appears to be a backdoor of some sort. The reason I post this is to
>see if anyone has seen this type on binary before and to get a little more
>information on exactly what it is.
>
>What I know is it was running non-stop from cron and it opens 3 UDP ports.
>It may be a client/server app? Any ideas.
>
>Here's the output from `strings ns` (The 3 IP addresses at the start have
>been changed for incident purposes)
>
>aaa.aaa.bbb.xxx
>aaa.aaa.ccc.xxx
>aaa.aaa.ddd.xxx
>socket
>bind
>recvfrom
>%s %s %s
>aIf3YWfOhw.V.
>PONG
>*HELLO*
>
>
>--
>-----------------------------------------------------------------------
>Dominick Glavach, IS Security/System Engineer [EMAIL PROTECTED]
>Concurrent Technologies Corporation 814/269-2469
>
>
>PGP fingerprint: F1 EB F3 DE 69 93 80 BF 00 14 77 E9 8B 61 A8 73
>PGP Public Key : ftp.ctc.com/pub/PGP-keys/glavach.asc
>-----------------------------------------------------------------------
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
