Gene Heskett wrote:
Greetings folks;
In doing some checking of a web server, we found an irc port open on
31377, one of the black hatters favorites. A port that portsentry was
supposed to be rejecting but wasn't.
We stumbled over several items over the last few days, but the most
obvious one was a directory called .sk, located in /usr/share/misc.
Its payload seemed fairly simple, to make an underground irc chat server
out of the box.
It does this with a shell script that echos several kilobytes of octal
strings to gzip in the unpack mode > to a file in the local directory
called .sk, and it contains a login replacement also. We did not find
that login was the one installed however. Which may be a clue that
theres even more smoke in this camp than what we've found yet.
The execution installs it by cp .sk /usr/bin/apmd, but puts it
in /usr/bin as opposed to the real apmd's location of /usr/sbin, and
adds a starter line so its enabled on boot to something we haven't
found yet. It also appears to start a third instance of portsentry
somehow.
We've cut our bandwidth use in half by getting rid of that. We also
checked the logs and added several dozen more addresses
to /etc/hosts.deny, including many script based password guess attempts
that didn't get in. And put portsentry in its most paranoid anal mode
with a few additions yet.
Just thought everybody would like to know about this bit of black hat
tomfoolery.
Thanks for the heads-up! Does rkhunter find this crap ?
Regards,
John
