Well, I have a box now that will need to be reloaded. It seems I was a bit too slow on the ball updating my SSH server and we got rooted.
This is just a headsup that you might want to check out a few things when you do your security audits... The rootkit in question runs a generic trojan on port 999 which asks for a password and then presumably gives out a root shell. It's pretty nasty, but not particularly professionally done. In my case, the cracker was kind enough to leave a copy of the original .tgz of his rootkit on my system. Here are some specifics of how this person got in and stayed in: 1. Got rootshell via SSH1 CRC32 checksum bug. 2. Gave passwords to 4 system accounts and changed 2 user passwords. 3. soft linked /.bash_history to /dev/null (the original root shell dumped into the / directory) 4. got a real root shell and linked /root/bash_history to /dev/null 5. Installed the rootkit. 6. The log "cleaner" killed syslog and hosed the ownership of most log files. 7. ran the trojan backdoor to get in again later. The trojan replaced ps and netstat with its own versions, backing up the original in a directory called .1 somewhere on the file system. The files for the rootkit were stored in /dev/.fd0 and sub-directories thereof. If there is enough interest, I can provide the kit that was used. The cracker who wrote it goes by the name of pHrail and claims membership in a group called Division7. Brian --------------------------------------------------------------- | [EMAIL PROTECTED] Spam me and DIE! | | http://www.datasquire.net | | Co-Founder & Co-Owner of | | Data Squire Internet Services | --------------------------------------------------------------- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
