Hosting Provided By

Re: hpd, afb, sc, and sn

From: Greg Barnes <greg(at)ins.com>
Date: Fri Dec 20 2002 - 17:19:04 EST

Gordon,

Check out:
http://www.ebagu.com/hacked.html

Friday, December 20, 2002, 3:11:31 PM, you wrote:

GC> I found suspicious looking files on a Redhat 7.1 Linux server earlier GC> today. Can anyone confirm or deny that the machine has been hacked?

GC> The files:
GC> /usr/bin/hpd
GC> /usr/bin/afb
GC> /usr/bin/sn

GC> The following line is in /etc/rc.local: GC> /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null

GC> The contents of hpd are:
GC> #!/bin/sh
GC> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null
GC> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null

GC> namp reports the following ports open:
GC> Port       State       Service
GC> 5/tcp      open        rje                     
GC> 22/tcp     open        ssh                     
GC> 25/tcp     open        smtp                    
GC> 53/tcp     open        domain                  
GC> 80/tcp     open        http                    
GC> 111/tcp    open        sunrpc                  
GC> 443/tcp    open        https                   
GC> 808/tcp    open        unknown                 
GC> 1024/tcp   open        kdm                     
GC> 3306/tcp   open        mysql                   
GC> 7000/tcp   open        afs3-fileserver         
GC> 8009/tcp   open        ajp13

GC> According to an rpm -V, all kinds of binaries have been changed: ps, GC> top, netstat, ifconfig, ...

GC> I copied a good version of ps in and found the two afb processes GC> running.

Do you need help?

GC> Anyone know about this hack, what afb does and/or how they usually get GC> in?

GC> Embarrassedly,
GC> -Gordon

Regards,

Greg Barnes       DotDot: greg at ins.com
CISA/CISSP       RingRing:  918-630-3228
CCSA/CCSE       BeepBeep:  800-467-1467

"But, alas, how frequently, how almost
universal it is in an author to persuade himself of the truth of his own dogmas."

                     --Darwin

PGP Fingerprint:
723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 23 11:51:05 2002

This message: [ Message body ]
Next message: Brad Arlt: "Re: hpd, afb, sc, and sn"
Previous message: gminick: "Re: hpd, afb, sc, and sn"
In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: Brad Arlt: "Re: hpd, afb, sc, and sn"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT