Re: rootkit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Gene Heskett wrote:
A friend of mine just reported he has been rooted, and his machine was spewing spam in the name of the colonial bank.

The name of the tar.gz file found in the /tmp dir that seems to be the src of all the other oddball stuff is wam.tar.gz.

The box is running fedora core 3, and the router has a switch on the lan side along with a windows box that also up. Anything that comes into the router on port 22 gets forwarded to this linux box.

This wam.tar.gz file contains virtually everything needed to rootkit a machine, including a password cracker, and several lists of email address lists totalling about 23,000 addresses.

FWIW, chkrootkit didn't find it!

Whats the general removal procedure for this, and better yet, how did they get in?


I've seen two fractured boxes; one had root, the other not. You don't need root (and the culprit who got root would have been better without it, he fscked the system so it wouldn't run).

On the other, the culprit took over a a user account, and his mistake was to change the user password; the user promptly complained she couldn't check mail.

The first, pretty much all /bin and /sbin was broken and reinstall required.

The second, all that was required was a reboot (quick and easy way to ensure processes got clobbered, and there's no magic way to restart them), remove culprit's ssh keys and establish a better password.


Since the culprit's given you (at least part of) the rootkit, examine it to see what it does.

Examine ~/.bash_history for the borked account to see whether you can see what was done. Mine was very interesting, and quite amusing: the kit emailed the IP address of eth0 off to someone@yahoo (so yahoo might have been interested): eth0 had a 192.168.0.x address, so that wasn't going to be useful.

Also, binaries were for RHL 7.x and hence didn't work so well on Debian.



--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxxxxxxxxx
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

do not reply off-list


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux