I know there is an exploit for certain versions of SSH. I am sure if you look around SF you can find out if you are vulnerable or not. Methinks that is probably how the 1 exploit having monkey got in. 1 exploit in the sense that he nailed your friend with his one l33t sploit and then began to scour the net looking for others running the same vulnerable version.
HTH, Leon -----Original Message----- From: Jason Burfield [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 3:09 PM To: [EMAIL PROTECTED] Subject: t0rn help and questions...? I'm sure someone here will have some insight on this... A friend of mine has a linux machine that has been rooted with the t0rn root kit. I found the usual supsects, as in ps, dir, find, syslogd, top etc all having been replaced. Also, there were two new lines in the rc.sysinit script. One to launch xntps and one that ran /bin/badsh. The machine is obviously going to need a complete re-install. However, I would really like to figure out how someone got in. The machine was running the following items: NAME VERSION PORT apache 1.3.20 80 ssh 2.1.1 22 netatalk 1.4.99 548 mysql 3.23.xx 3306 There is also a new directory on the machine: /var/logs Inside of that is a directory named '...' (no quotes), inside of that are numerous files. Several of which appear to contain the info from the compromised machine scanning for ssh on other machines. The entries in that file look like this: xxx.xxx.xxx.xxx(domain.com):22 :SSH-1.5-1.2.30 With the exception of the obviously changing ip and domain, the rest of that line is the same for every single line in all of those files. And there are a LOT of them. 100,000+ These files are named: 1.2.26.txt, 1.2.30.txt, 1.txt, bla.txt and pis.txt. I copied those 'log' files to a seperate machine and took the compromised machine off the network.. The other files in that directory are: encrypt, scan, t0rnscan and t0rnscreen. There is also a sub-directory named 'stuff' that contains the following items: cleaner, mf, pico, sniffer, t0rnd and wget. Can anyone point me in a direction to try to figure out how someone got into this machine? Oh, the machine was running Red Hat 7.0. Kernel 2.2.16. It was NOT a default install, meaning we picked the stuff to install and only installed what we needed. Any thoughts or help would be greatly appreciated! Thanks. -- Jason