Is this a compromise and how?

[brian]

Sorry is this is too far off topic, but it seems to me the
kernel may be helping in this break in or maybe some magic
aspect of the filesystem.

I noted in an ls that

-rwxr-xr-x   1 root     root        36784 Jul 17 05:06 rpc.mountd*
-rwxr-xr-x   1 root     root         3368 Jul 17 05:06 rpc.nfsd*
-rwxr-xr-x   1 root     ftp            22 Sep  8 22:15 rpc.rcmd*
-rwxr-xr-x   1 root     root         9872 Jul 17 05:06 rpc.rquotad*
-rwxr-xr-x   1 root     root        13936 Feb  9  2000 rpc.rstatd*
-rwxr-xr-x   1 root     root         7952 Feb  9  2000 rpc.rusersd*
-rwxr-xr-x   1 root     root         6512 Feb 11  2000 rpc.rwalld*
-rwxr-xr-x   1 root     root        17624 Mar  7  2000 rpc.yppasswdd*
-rwxr-xr-x   1 root     root        23984 Mar  7  2000 rpc.ypxfrd*
-rwxr-xr-x   1 root     root        10692 Sep  5 16:03 rpcinfo*

rpc.rcmd look a little suspicious?

And guess what it contains?

%cat /usr/sbin/rpc.rcmd 
/usr/include/strlib.h

Hmmmm.

%ls -l /usr/include/strlib.h
-rwxr-xr-x   1 root     root        16768 Sep 16 09:55 /usr/include/strlib.h*

%file /usr/include/strlib.h
/usr/include/strlib.h: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically 
linked (uses shared libs), not stripped

%/usr/include/strlib.h
bind: Address already in use

Now watch this magic trick:

%mkdir foo
%cd foo
%touch strlib.h
%ls
%find . -print
.
./strlib.h
%

Get it?  strlib.h never appears in the file system via ls whereever
it may be created.

More fun:

%echo hello >strlib.h
%ls
%cat strlib.h
hello
%

Pretty cool huh?

Let me know if you would like a copy of the code.

A quick strace shows that it binds to port 24000.

It also contains a list of 5 IP addrs.  I suspect it doesn't
broadcast, but allows people in from those IPs.

Anyone know what has happened?  I religiously install the redhat
updates, and am subscribed to the CERT advistors and install
the fixes the moment I get them.

The system was RedHat 6.2, linux 2.2.17pre14 at the time the
breakin occured.

I've been running firewalled with only services I provide turned
on for access, and in /etc/inetd.conf.

What is keeping strlib.h from appearing ls's?  A hacked ls command?

-- 
Brian Litzinger <[EMAIL PROTECTED]>

    Copyright (c) 2000 By Brian Litzinger, All Rights Reserved
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/