Hi there, recently we came across some systems infected with an old worm/backdor, Solaris/Wanuk.A (or "Solaris.Wanukdoor" or "Solaris.Wanuk.Worm"). The backdor can be installed because of a bug in the Solaris in.telnetd[0] and when I looked at the rkhunter site it said "detects TBD (Telnet BackDoor)", but it wouldn't detect Solaris/Wanuk.A.
The patch attached tries to remediate that. I've also put a few weblinks about this backdoor (and its worm, using this backdoor) at the end of the mail. However, there's one more thing this worm does: it installs a cronjob (running every night at 01:10 am), and I could not find a rkhunter routine to check for "suspicious cronjobs". Would adding such a routine still be within the scope of rkhunter? Thanks, Christian. # Solaris.Wanukdoor # http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-022810-0202-99 # Solaris.Wanuk.Worm # http://www.symantec.com/business/security_response/writeup.jsp?docid=2007-022810-3637-99 # Worm:Solaris/Wanuk.A # http://www.f-secure.com/v-descs/worm_solaris_wanuk_a.shtml [0] http://sunsolve.sun.com/search/document.do?assetkey=201391 http://www.securityfocus.com/bid/22512 backdoorports.dat | 1 rkhunter | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 97 insertions(+), 3 deletions(-) --- rkhunter-cvs/files/rkhunter 2010-01-30 20:00:48.574714348 +0100 +++ rkhunter-cvs/files/rkhunter.edited 2010-01-30 19:58:51.493360000 +0100 @@ -5877,6 +5877,90 @@ do_system_check_initialisation() { TBD_DIRS= TBD_KSYMS= + # Solaris/Wanuk + WANUK_FILES="${RKHROOTDIR}/var/adm/.adm + ${RKHROOTDIR}/var/adm/.i86pc + ${RKHROOTDIR}/var/adm/sa/acctadm + ${RKHROOTDIR}/var/adm/sa/.adm/acctadm + ${RKHROOTDIR}/var/adm/sa/.adm/bootadm + ${RKHROOTDIR}/var/adm/sa/.adm/cfgadm + ${RKHROOTDIR}/var/adm/sa/.adm/consadmd + ${RKHROOTDIR}/var/adm/sa/.adm/.crontab + ${RKHROOTDIR}/var/adm/sa/.adm/cryptoadm + ${RKHROOTDIR}/var/adm/sa/.adm/devfsadmd + ${RKHROOTDIR}/var/adm/sa/.adm/dladm + ${RKHROOTDIR}/var/adm/sa/.adm/.i86pc + ${RKHROOTDIR}/var/adm/sa/.adm/inetadm + ${RKHROOTDIR}/var/adm/sa/.adm/kadmind + ${RKHROOTDIR}/var/adm/sa/.adm/logadm + ${RKHROOTDIR}/var/adm/sa/.adm/.lp-door.i86pc + ${RKHROOTDIR}/var/adm/sa/.adm/.lp-door.sun4 + ${RKHROOTDIR}/var/adm/sa/.adm/metadevadm + ${RKHROOTDIR}/var/adm/sa/.adm/nlsadmin + ${RKHROOTDIR}/var/adm/sa/.adm/routeadm + ${RKHROOTDIR}/var/adm/sa/.adm/sacadm + ${RKHROOTDIR}/var/adm/sa/.adm/sadm + ${RKHROOTDIR}/var/adm/sa/.adm/.sun4 + ${RKHROOTDIR}/var/adm/sa/.adm/svcadm + ${RKHROOTDIR}/var/adm/sa/.adm/sysadm + ${RKHROOTDIR}/var/adm/sa/.adm/syseventadmd + ${RKHROOTDIR}/var/adm/sa/.adm/ttyadmd + ${RKHROOTDIR}/var/adm/sa/.adm/uadmin + ${RKHROOTDIR}/var/adm/sa/.adm/zoneadmd + ${RKHROOTDIR}/var/adm/sa/bootadm + ${RKHROOTDIR}/var/adm/sa/cfgadm + ${RKHROOTDIR}/var/adm/sa/consadmd + ${RKHROOTDIR}/var/adm/sa/cryptoadm + ${RKHROOTDIR}/var/adm/sa/devfsadmd + ${RKHROOTDIR}/var/adm/sa/dladm + ${RKHROOTDIR}/var/adm/sa/.i86pc + ${RKHROOTDIR}/var/adm/sa/inetadm + ${RKHROOTDIR}/var/adm/sa/kadmind + ${RKHROOTDIR}/var/adm/sa/logadm + ${RKHROOTDIR}/var/adm/sa/metadevadm + ${RKHROOTDIR}/var/adm/sa/nlsadmin + ${RKHROOTDIR}/var/adm/sa/routeadm + ${RKHROOTDIR}/var/adm/sa/sacadm + ${RKHROOTDIR}/var/adm/sa/sadm + ${RKHROOTDIR}/var/adm/sa/.sun4 + ${RKHROOTDIR}/var/adm/sa/svcadm + ${RKHROOTDIR}/var/adm/sa/sysadm + ${RKHROOTDIR}/var/adm/sa/syseventadmd + ${RKHROOTDIR}/var/adm/sa/ttyadmd + ${RKHROOTDIR}/var/adm/sa/uadmin + ${RKHROOTDIR}/var/adm/sa/zoneadmd + ${RKHROOTDIR}/var/adm/.sun4 + ${RKHROOTDIR}/var/spool/lp/admins/lpadmin + ${RKHROOTDIR}/var/spool/lp/admins/lpc + ${RKHROOTDIR}/var/spool/lp/admins/.lp/.crontab + ${RKHROOTDIR}/var/spool/lp/admins/lpd + ${RKHROOTDIR}/var/spool/lp/admins/.lp-door.i86pc + ${RKHROOTDIR}/var/spool/lp/admins/.lp-door.sun4 + ${RKHROOTDIR}/var/spool/lp/admins/lpfilter + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpadmin + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpc + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpd + ${RKHROOTDIR}/var/spool/lp/admins/.lp/.lp-door.i86pc + ${RKHROOTDIR}/var/spool/lp/admins/.lp/.lp-door.sun4 + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpfilter + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpmove + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpsched + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpshut + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpstat + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpsystem + ${RKHROOTDIR}/var/spool/lp/admins/.lp/lpusers + ${RKHROOTDIR}/var/spool/lp/admins/lpmove + ${RKHROOTDIR}/var/spool/lp/admins/lpsched + ${RKHROOTDIR}/var/spool/lp/admins/lpshut + ${RKHROOTDIR}/var/spool/lp/admins/lpstat + ${RKHROOTDIR}/var/spool/lp/admins/lpsystem + ${RKHROOTDIR}/var/spool/lp/admins/lpusers" + WANUK_DIRS="${RKHROOTDIR}/var/adm/sa + ${RKHROOTDIR}/var/adm/sa/.adm + ${RKHROOTDIR}/var/spool/lp/admins + ${RKHROOTDIR}/var/spool/lp/admins/.lp" + WANUK_KSYMS= + # TeLeKiT Rootkit TELEKIT_FILES="${RKHROOTDIR}/usr/man/man3/.../TeLeKiT/bin/sniff @@ -6421,7 +6505,7 @@ do_system_check_initialisation() { # Integrity tests STRINGS_INTEGRITY="${BOBKIT_FILES} ${BOBKIT_DIRS} ${CINIK_FILES} ${CINIK_DIRS} ${DICA_FILES} ${FREEBSD_RK_FILES} - ${TBD_FILES} ${TORN_FILES} ${TORN_DIRS}" + ${TBD_FILES} ${TORN_FILES} ${TORN_DIRS} ${WANUK_FILES} ${WANUK_DIRS}" SNIFFER_FILES="${RKHROOTDIR}/usr/lib/libice.log @@ -9019,6 +9103,14 @@ rootkit_file_dir_checks() { SCAN_DIRS=${TBD_DIRS} SCAN_KSYMS=${TBD_KSYMS} scanrootkit + + # Solaris Wanuk + + SCAN_ROOTKIT="WANUK Rootkit" + SCAN_FILES=${WANUK_FILES} + SCAN_DIRS=${WANUK_DIRS} + SCAN_KSYMS=${WANUK_KSYMS} + scanrootkit # TeLeKiT Rootkit @@ -13949,8 +14041,9 @@ KNOWN_ROOTKITS='55808 Trojan - Variant A ld-linuxv.so, Li0n Worm, Lockit / LJK2, Mood-NT, MRK, Ni0, Ohhara, Optic Kit (Tux), OSX, Oz, Phalanx, Phalanx2, Portacelo, R3dstorm Toolkit, RH-Sharpe'"'"'s, RSHA'"'"'s, Scalper Worm, Shutdown, SHV4, SHV5, Sin, SInAR, Slapper, Sneakin, Spanish, Suckit, SunOS / NSDAP, - SunOS Rootkit, Superkit, TBD (Telnet BackDoor), TeLeKiT, T0rn, trNkit, Trojanit Kit, Tuxtendo, URK, - Vampire, VcKit, Volc, w00tkit, weaponX, Xzibit, X-Org SunOS, zaRwT.KiT, ZK' + SunOS Rootkit, Superkit, TBD (Telnet BackDoor), Solaris Wanuk, TeLeKiT, T0rn, trNkit, + Trojanit Kit, Tuxtendo, URK, Vampire, VcKit, Volc, w00tkit, weaponX, Xzibit, X-Org SunOS, + zaRwT.KiT, ZK' # The program defaults of which tests to perform will be set later. ENABLE_TESTS="" --- rkhunter-cvs/files/backdoorports.dat 2010-01-30 19:47:34.533361231 +0100 +++ rkhunter-cvs/files/backdoorports.dat.edited 2010-01-30 19:48:38.795863385 +0100 @@ -22,6 +22,7 @@ Version:2009110901 25000:Possible Universal Rootkit (URK) component:TCP: 29812:FreeBSD (FBRK) Rootkit default backdoor port:TCP: 31337:Historical backdoor port:TCP: +32982:Solaris Wanuk:TCP: 33369:Volc Rootkit SSH server (divine):TCP: 47107:T0rn:TCP: 47018:Possible Universal Rootkit (URK) component:TCP: -- BOFH excuse #198: Post-it Note Sludge leaked into the monitor. ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
