there are 2 ways of finding out where and what daemons/utils/processes are
hided on your linux box
1: use chkrootkit (www.chakrootkit.org)
2:
search for /usr/src/.puta
and there should be all the files that hide ps netstat and all oather shit
the there is a directoy in /usr/info/.t0rn there are all the ssh-backdored
files what you must do is :
reinstall telnetd , ssh, ftpd-if wuftpd, procps net-tools,
Bogdan Baba
On 18 Oct 2001, Jason Burfield wrote:
> I'm sure someone here will have some insight on this...
>
> A friend of mine has a linux machine that has been rooted with the t0rn
> root kit. I found the usual supsects, as in ps, dir, find, syslogd, top
> etc all having been replaced. Also, there were two new lines in the
> rc.sysinit script. One to launch xntps and one that ran /bin/badsh.
>
> The machine is obviously going to need a complete re-install. However, I
> would really like to figure out how someone got in. The machine was
> running the following items:
>
> NAME VERSION PORT
> apache 1.3.20 80
> ssh 2.1.1 22
> netatalk 1.4.99 548
> mysql 3.23.xx 3306
>
> There is also a new directory on the machine: /var/logs
>
> Inside of that is a directory named '...' (no quotes), inside of that
> are numerous files. Several of which appear to contain the info from the
> compromised machine scanning for ssh on other machines.
>
> The entries in that file look like this:
>
> xxx.xxx.xxx.xxx(domain.com):22 :SSH-1.5-1.2.30
>
> With the exception of the obviously changing ip and domain, the rest of
> that line is the same for every single line in all of those files. And
> there are a LOT of them. 100,000+
>
> These files are named: 1.2.26.txt, 1.2.30.txt, 1.txt, bla.txt and
> pis.txt.
>
> I copied those 'log' files to a seperate machine and took the
> compromised machine off the network..
>
> The other files in that directory are: encrypt, scan, t0rnscan and
> t0rnscreen. There is also a sub-directory named 'stuff' that contains
> the following items: cleaner, mf, pico, sniffer, t0rnd and wget.
>
> Can anyone point me in a direction to try to figure out how someone got
> into this machine?
>
> Oh, the machine was running Red Hat 7.0. Kernel 2.2.16. It was NOT a
> default install, meaning we picked the stuff to install and only
> installed what we needed.
>
> Any thoughts or help would be greatly appreciated!
>
> Thanks.
>
> -- Jason
>
