Re: [ossec-list] Trojan found on Redhat AS4

[satish patel]

I have two identical system and i cross check with that system and i
found following result.

Trojan infected system (what is this deleted ?)

root@vmg035:/usr/local/src/ossec# cat /proc/1/maps
7f6c7d145000-7f6c7d151000 r-xp 00000000 fb:01 6554
  /lib/libnss_files-2.11.1.so (deleted)
7f6c7d151000-7f6c7d350000 ---p 0000c000 fb:01 6554
  /lib/libnss_files-2.11.1.so (deleted)
7f6c7d350000-7f6c7d351000 r--p 0000b000 fb:01 6554
  /lib/libnss_files-2.11.1.so (deleted)
7f6c7d351000-7f6c7d352000 rw-p 0000c000 fb:01 6554
  /lib/libnss_files-2.11.1.so (deleted)
7f6c7d352000-7f6c7d35c000 r-xp 00000000 fb:01 6556
  /lib/libnss_nis-2.11.1.so (deleted)
7f6c7d35c000-7f6c7d55b000 ---p 0000a000 fb:01 6556
  /lib/libnss_nis-2.11.1.so (deleted)
7f6c7d55b000-7f6c7d55c000 r--p 00009000 fb:01 6556
  /lib/libnss_nis-2.11.1.so (deleted)
7f6c7d55c000-7f6c7d55d000 rw-p 0000a000 fb:01 6556
  /lib/libnss_nis-2.11.1.so (deleted)
7f6c7d55d000-7f6c7d574000 r-xp 00000000 fb:01 6551
  /lib/libnsl-2.11.1.so (deleted)
7f6c7d574000-7f6c7d773000 ---p 00017000 fb:01 6551
  /lib/libnsl-2.11.1.so (deleted)
7f6c7d773000-7f6c7d774000 r--p 00016000 fb:01 6551
  /lib/libnsl-2.11.1.so (deleted)
7f6c7d774000-7f6c7d775000 rw-p 00017000 fb:01 6551
  /lib/libnsl-2.11.1.so (deleted)
7f6c7d775000-7f6c7d777000 rw-p 00000000 00:00 0
7f6c7d777000-7f6c7d77f000 r-xp 00000000 fb:01 6552
  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
7f6c7d77f000-7f6c7d97e000 ---p 00008000 fb:01 6552
  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
7f6c7d97e000-7f6c7d97f000 r--p 00007000 fb:01 6552
  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
7f6c7d97f000-7f6c7d980000 rw-p 00008000 fb:01 6552
  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)


other identical system

[root@test035 ~]# cat /proc/1/maps
005c4000-005d1000 r-xp 00000000 fd:00 869076     /lib/libsepol.so.1
005d1000-005d2000 rw-p 0000c000 fd:00 869076     /lib/libsepol.so.1
005d2000-005da000 rw-p 005d2000 00:00 0
00665000-00672000 r-xp 00000000 fd:00 869075     /lib/libselinux.so.1
00672000-00673000 rw-p 0000d000 fd:00 869075     /lib/libselinux.so.1
00891000-008a7000 r-xp 00000000 fd:00 869014     /lib/ld-2.3.4.so
008a7000-008a8000 r--p 00015000 fd:00 869014     /lib/ld-2.3.4.so
008a8000-008a9000 rw-p 00016000 fd:00 869014     /lib/ld-2.3.4.so
00987000-00988000 r-xp 00000000 fd:00 869031     /lib/libcwait.so
00988000-00989000 rw-p 00000000 fd:00 869031     /lib/libcwait.so
00adb000-00c05000 r-xp 00000000 fd:00 902502     /lib/tls/libc-2.3.4.so
00c05000-00c07000 r--p 00129000 fd:00 902502     /lib/tls/libc-2.3.4.so
00c07000-00c09000 rw-p 0012b000 fd:00 902502     /lib/tls/libc-2.3.4.so
00c09000-00c0b000 rw-p 00c09000 00:00 0
08048000-0804f000 r-xp 00000000 fd:00 1613974    /sbin/init
0804f000-08050000 rw-p 00007000 fd:00 1613974    /sbin/init
0930a000-0932b000 rw-p 0930a000 00:00 0
b7f74000-b7f76000 rw-p b7f74000 00:00 0
bfe13000-c0000000 rw-p bfe13000 00:00 0







On Tue, Mar 1, 2011 at 3:00 PM, Castle, Shane <scas...@bouldercounty.org> wrote:
> I'd cross-check with one of the rootkit checking tools but yes, kinda
> looks like you've been pwned.
>
> --
> Shane Castle
> Data Security Mgr, Boulder County IT
> CISSP GSEC GCIH
>
>
> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com]
> On Behalf Of satish patel
> Sent: Tuesday, March 01, 2011 12:53
> To: ossec-list@googlegroups.com
> Subject: [ossec-list] Trojan found on Redhat AS4
>
> I have just install OSSEC-2.5.1 version on one of Redhat AS4 linux
> machine and i got following message. What the hack is this ? is this
> real trojan ?
>
>
> Received From: vmg035->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)."
> Portion of the log(s):
>
> Trojaned version of file '/proc/1/maps' detected. Signature used:
> 'init.' (Suckit rootkit).
>
> -Satish
>