Greetings folks; In doing some checking of a web server, we found an irc port open on 31377, one of the black hatters favorites. A port that portsentry was supposed to be rejecting but wasn't. We stumbled over several items over the last few days, but the most obvious one was a directory called .sk, located in /usr/share/misc. Its payload seemed fairly simple, to make an underground irc chat server out of the box. It does this with a shell script that echos several kilobytes of octal strings to gzip in the unpack mode > to a file in the local directory called .sk, and it contains a login replacement also. We did not find that login was the one installed however. Which may be a clue that theres even more smoke in this camp than what we've found yet. The execution installs it by cp .sk /usr/bin/apmd, but puts it in /usr/bin as opposed to the real apmd's location of /usr/sbin, and adds a starter line so its enabled on boot to something we haven't found yet. It also appears to start a third instance of portsentry somehow. We've cut our bandwidth use in half by getting rid of that. We also checked the logs and added several dozen more addresses to /etc/hosts.deny, including many script based password guess attempts that didn't get in. And put portsentry in its most paranoid anal mode with a few additions yet. Just thought everybody would like to know about this bit of black hat tomfoolery. -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
