On Mon, 29 Jul 2002, Emmanuel 'Manny' Amador wrote:
> Hi all! > > While running chkrootkit, I got these funny messages: > > Checking `aliens'... > /dev/xmx /dev/xdta > /usr/bin/sourcemask > > and... > > > What does /usr/bin/sourcemask do anyways? I checked it with rpm and it > doesn't seem to be part of any package in my database. And what about > /dev/xmx and /dev/xdta ? > your box was hacked like mine and i got the privilege of recording the list of files that was installed (see below). i didnt do rootkit research but from the looks, i guessed it was an automatic exploit script. and since that happened eons ago, it's still alive and victimizing... it installed sniffers, port scanners, trojaned admin binaries, tcp backdoors and reinstall scripts embeded in rc.sysinit so that all backdoors/trojans are reinstalled upon reboot. /dev/xmx contains a list of files it installed (partial). /dev/xdta lists ip addresses (192.X.X.X), domains (hobbiton.org) and ports that it probably attacked next. sourcemask contains these shell statements: --- cd /usr/man/man1/".. "/.dir ./snif >chipsul & /usr/bin/ras2xm -p 1979 -q --- listing of files installed (partial): -rwxr-xr-x root/root 7165 .dir/snif -rwx------ root/root 63 .dir/klog -rwx--x--x root/root 8268 .dir/crush -rwxr-xr-x root/root 4060 .dir/create -rwxr-xr-x root/root 13067 .dir/sc/ben -rwxr-xr-x root/root 112 .dir/sc/osscan -rwxr-xr-x root/root 15715 .dir/sc/scan -rwxr-xr-x root/root 15121 .dir/sc/wus -rw-r--r-- root/root 8545 .dir/lamer.tgz -rw-r--r-- root/root 28379 .dir/bwm -rwxr-xr-x root/root 1586 .dir/lamer -rwxr-xr-x root/root 11632 .dir/statdx -rwxr-xr-x root/root 6468 .dir/scan-a -rw-r--r-- root/root 1102304 .dir/chipsul -rwxr-xr-x root/root 33280 /bin/ps -rwxr-xr-x root/root 35300 /bin/netstat -rwxr-xr-x root/root 53588 /usr/bin/top -rwxr-xr-x root/root 21816 /usr/bin/crontab -rwsr-xr-x root/root 21816 /usr/bin/ct -rwxr-xr-x root/root 201020 /usr/bin/ras2xm -rwx------ root/root 75 /usr/bin/sourcemask -rwxr-xr-x root/root 14224 /usr/sbin/tcpd -rwxr-xr-x root/root 27055 /usr/sbin/in.rexedcs -rwxr-xr-x root/root 267360 /usr/sbin/syslogd -rwxr-xr-x root/root 13719 /etc/rc.sysinit -rwxr-xr-x root/root 19840 /sbin/ifconfig -rw-r--r-- root/root 145 /dev/xmx -rw-r--r-- root/root 241 /dev/xdta --- i must say posts like these are interesting. =) pong _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
