[Nottingham] Rootkit/break in

Johannes Kling nottingham at mailman.lug.org.uk
Mon Aug 11 14:03:01 2003 

Hello,

  Recently a customers machine was cracked and had a (fairly clumsy)
rootkit installed on it. To clean the mess up, I reinstalled pretty
much all basic system binaries (ls, find, ps, kill, killall etc.), and
did some further investigation. However, I was unable to identify
exactly what rootkit was used. Google proved not helpful (both web
and groups) and chkrootkit couldn't quite decide either unfortunately,
so I was wondering if anybody else has seen this around before.

Here are more details:


The host box runs RedHat 7.3, uname -a is:
Linux XXXXXXX 2.4.18 #20 SMP Mon Aug 4 22:44:39 CDT 2003 i686 unknown

Aside from the usual breaking of find, ls, ps, etc. there were a few
more files installed:

==================================================================
  '/usr/bin/smbd -D' : (662395b size, 336990259f74c424ab7fff08ea14c434 md5sum)

This appeared to contain sshd, and, according to strings, had giveaway
lines like:

+-[ User Login Incoming ]----------- --- --- - -
| username: %s password: %s%s hostname: %s
+----------------------------------- ----- --- -- -- -


==================================================================
  '/usr/bin/crontabs' : (17803b size, 1f1fafc6f6b08295c1ff882c491060e2 md5sum)

A line was added to /etc/init.d/functions that read:
/usr/bin/crontabs -t1 -X53 -p

It calls 'smbd -D' (well, I assume so: strings showed '"smbd -D"'),
and presumably makes sure smbd\ -D get's restarted if
required. (Google for /usr/bin/crontabs . There should only be one
result, the contents if which I found rather amusing :-)

==================================================================
  '/usr/bin/(swapd)' : (11261b size, b41a4bb5027e59957aed39b201af95ee md5sum)

Interesting strings lines:

cant get SOCK_PACKET socket
cant get flags
cant set promiscuous mode
----- [CAPLEN Exceeded]
----- [Timed Out]
----- [RST]
----- [FIN]
eth0
tcp.log
cant open log

Given the usual things people would do, I think it's safe to guess
this is some sort of sniffer.

These three files are available at
http://www.printk.net/~jok/non-site/nottlug_rk_files.tgz , for those
who are interested.

Any insight would be greatly appreciated.

Regards,
  Johannes Kling