[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] CHkrootkit output

> > > > Subject: Re: [cobalt-users] CHkrootkit output
> > > >
> > > >
> > > > > >
> > > > > > I believe that machine has been hacked. Is cron doing weird
stuff?
> > > Other
> > > > > > processes like devine?
> > > > >
> > > > >
> > > > > And you conclusion is based on ??
> > > > Seeing it first hand. Some notes..
> > > > Cron will work. Tuning it off is the problem, a process called
devine
> > > > will popup usually once a day and stay running. Its nasty. Believe
it
> > can
> > > > sniff the username and pw of clients
> > > > isp logins besides the system passwords. They used a wget from the
> > server
> > > to
> > > > download it from a free isp in europe.
> > > > They entered through a script called phpnuke one time and cgi
(forgot
> > the
> > > > name) on another raq4. Other than those
> > > > notes it ran fine. It also searches files for cc numbers, email
> > addresses
> > > > and any ftp user connections from any scripts.
> > > > Once I saw that, it went offline. A reboot usually starts the ball
> > rolling
> > > > if I remember right,
> > > > then clients can be locked out of shell and ftp along with the
admin.
> > mods
> > > > to the hosts.deny and allow files.
> > > >
> > > > > Cron is fully operational and normail.
> > > > >
> > > > > No strange processess
> >
> > Google T0rn Rootkit. I think that is part of the package that was
> installed.
> > I'll try to find my notes.
>
> BTW, Can anyone share the fix to keep the below out of  chkrootkits
output?
>
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Jcode/.packlist
> /usr/lib/perl5/5.00503/i386-linux/.packlist
>
> or with the latest MySql,
>
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
>
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
> /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Jcode/.packlist
> /usr/lib/perl5/5.00503/i386-linux/.packlist
>
> >
Evidence:
   .--.
   l$$$$l       ------ [ design by j0hnny7 / zho-d0h ]----
   l$$$$l                                           .-.         .-.    .-.
   l$$$$l   .,g%T$$b%g,.  .,g%T$$$T%y,. .,g%T$T%y,.l$$$l    .-.       l$$$l
.glS$$$$Slyl$$$$'  '$$$$lg$$$T'  '$$$$ll$$$$'
'$$$$l$$$l.,gdT$'l$$$l,gl$$$lp,.
l$$$$$$$$$$l$$$$    $$$$l$$$$$    '---'l$$$$   $$$$l$$$$T"~''
l$$$llll$$$lllll
'"lT$$$$Tl"l$$$$    $$$$l$$$$$         l$$$$   $$$$l$$$$Tbg.
l$$$l'"l$$$l"'
   l$$$$l  l$$$$.  ,$$$$l$$$$$         l$$$$   $$$$l$$$l~"$Tp._l$$$l  l$$$l
   l$$$$l   ~"$TbggdT$"~ '---'         '---'   `---"---'   '---"---'  l$$$l
   l$$$$l   .,.   ::' there is no stopping, what can't be stopped... ''---'
   `$$$$Tbg.gdT$
     `--------'
             -----[ version 6.66 .. 2308200 ..
torn@xxxxxxxxxxxxxxxxxxxx ]----



-|  Ok a bit about the kit... Version based on lrk style trojans
-|  made up from latest linux sources .. special thanks to
-|  k1ttykat/j0hnny7 for this..

-|  First rootkit of its kind that is all precompiled and yet allows
-|  you to define a password.. password is stored in a external encrypted
-|  file. The trojans using this are login/ssh/finger ..

-|  This kit was designed with the main idea of being portable and quick
-|  to be mainly used for mass hacking linux's, hence the precompiled bins.

-|  Usage : ./t0rn <password> <ssh-port>

-|  <password>
-|  ----------
-|  this will be the new ssh and login password
-|  to use it with login u must...

-|  [login]

-|  * the default password is "t0rnkit"
-|  bash# export DISPLAY=t0rnkit-looser
-|  bash# telnet tornkit.com
-|  Trying 127.0.0.1...
-|  Linux 2.2.16 (tornkit.com)

-|  login: torn <this can be anything>
-|  Password:arf
-|  bash#

-|  [ssh]

-|  * the defualt port is 47017

-|  ssh -l t0rnkit-looser -p <ssh-port>

-|  <ssh-port>
-|  since this version you can now change ur ssh port as well..
-|  so..

-| ssh -l <login> -p <ssh-port>

-| [finger]
-| finger password@xxxxxxxxxxx
-| this adds a simple inetd bindshell..
-| then .. telnet to host on  2555


-| <files>
-|  -------
-| ok our hidden dir for this version is ... /usr/src/.puta
-| file hiding still similiar to lrk...

-| .1file <- files ... echo "filename" >> /usr/src/.puta/.1file
-| .1proc <- proc's to hide - "t0rn*" is hidden by default
-| .1addr <- lrk style address hiding from netstat...

-| <more about the files in .puta>
-| ------------------------------
-| 't0rnsb' - sauber by socked - log cleaner
-| 't0rns' - standard linux sniffer
-| 't0rnp' - snifferlog parser


-| <patching>
-| ----------

-| current patches include a very stupid wuftpd patch.. and a
-| rpm -U statd patch..


-| <Gr33tz !!@!~! oh how can we forget this>
-| -----------------------------------------

-| fly out to in no particulr order...
-| X-ORG/etC!/m0s/Blackhand/tnt/APACHE/sv3ta/Sl|der/dor/angelz/
-| Annihilat/Unkn0wn/j0hnny7/k1ttykat/_random/dR_hARDY/
-| Cvele/DR_SNK/flyahh/sensei/snake/#etcpub and everyone i forgot... innit.
-| and a special greeet goes out to mah babehh xeni !


------ [ EOF ] ------------------------------------------------------------

> > > >   David Hahn
> > > >   PageKeeper Service
> > > >   1512 Deborah Road #102
> > > >   Rio Rancho, New Mexico 87124 US
> > > >   505-892-8723
> > > >   http://www.pagekeeperservice.com