[Nottingham] Rootkit/break in
Johannes Kling
nottingham at mailman.lug.org.uk
Tue Aug 12 12:18:01 2003
Hello,
> Have you any more evidence that this machine was cracked?
Yes. More files surfaced:
/tmp/sand/ava (google seems to suggest Adore, an LKM kit based on this)
/tmp/sand/chattr.tgz
/tmp/sand/informatii
/tmp/sand/install
/tmp/sand/kde.c
/tmp/sand/mail
/tmp/sand/pico.tgz
/tmp/sand/sshd
/tmp/sand/sysinfo
/tmp/sand/wget.tgz
/usr/bin/lpi: short shell script:
#!/bin/sh
bb=`pwd`
cd /usr/bin
"(swapd)" &
cd $bb
/usr/bin/logclear: another shell script
killall -9 /usr/bin/"(swapd)"
rm -rf /usr/bin/tcp.log
touch /usr/bin/tcp.log
"(swapd)" >tcp.log &
/usr/bin/sense: a longer shell script, identifying itself on line two
# Sorts the output from LinSniffer 0.03 [BETA] by Mike Edulla <medulla@infosoc.com>
This actually provided the first tangible hint as to what was used.
> If chrootkit is indecisive (how did it fail BTW ?)
It reported a few files as infected, then hung on testing on for
particular rootkits (hung as in made no visible progress for ~30
mins). I'll admit that I wasn't as careful as I could've been in
"fixing" as little as possible before running again (and again, until
it finally decided to run to completion).
> I would think more in terms of file system corruption
Unless it chose to corrupt in a very determined fashion, this is
definitely not the problem.
Since I have something to go on now, I'll hopefully have a better idea
about what was going on. If anyone has any more ideas however, I'd
still be grateful :-).
Regards,
Johannes Kling