On Fri, 2006-03-31 at 13:02 -0500, Gene Heskett wrote: > Greetings folks; > In doing some checking of a web server, we found an irc port open on > 31377, one of the black hatters favorites. A port that portsentry was > supposed to be rejecting but wasn't. > We stumbled over several items over the last few days, but the most > obvious one was a directory called .sk, located in /usr/share/misc. Your subject says "new rootkit" but you haven't said anything about a "root kit" per se, just a backdoor. That ".sk" directory could be (sounds like) the SK rootkit but I would not have expected you to find it so easily (unless you used something like chrootkit or rkhunter). If you haven't run them, run both chrootkit and rkhunter and let us know what they turn up. They will identify, by name, rootkits they find. If you turned that rootkit so easily, it's entirely possible that you've still got a rootkit on there that IS effectively hiding itself (essence of a rootkit is "stealth", not just hiding in a . directory). Both are available in FC Extras. I can highly recommend them both. > Its payload seemed fairly simple, to make an underground irc chat server > out of the box. > > It does this with a shell script that echos several kilobytes of octal > strings to gzip in the unpack mode > to a file in the local directory > called .sk, and it contains a login replacement also. We did not find > that login was the one installed however. Which may be a clue that > theres even more smoke in this camp than what we've found yet. > > The execution installs it by cp .sk /usr/bin/apmd, but puts it > in /usr/bin as opposed to the real apmd's location of /usr/sbin, and > adds a starter line so its enabled on boot to something we haven't > found yet. It also appears to start a third instance of portsentry > somehow. > > We've cut our bandwidth use in half by getting rid of that. We also > checked the logs and added several dozen more addresses > to /etc/hosts.deny, including many script based password guess attempts > that didn't get in. And put portsentry in its most paranoid anal mode > with a few additions yet. > > Just thought everybody would like to know about this bit of black hat > tomfoolery. > > -- > Cheers, Gene > People having trouble with vz bouncing email to me should add the word > 'online' between the 'verizon', and the dot which bypasses vz's > stupid bounce rules. I do use spamassassin too. :-) > Yahoo.com and AOL/TW attorneys please note, additions to the above > message by Gene Heskett are: > Copyright 2006 by Maurice Eugene Heskett, all rights reserved. > -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw WittsEnd com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Description: This is a digitally signed message part