Hosting Provided By

Re: hpd, afb, sc, and sn

From: <deadcalm(at)treshna.com>
Date: Sun Dec 22 2002 - 22:49:33 EST

Congratulations Gordon, it looks like you've found a new (unpublished) rootkit. A rootkit is what a hacker uses to hide & often includes backdoors for later access. As this is binary-layer (as opposed to library or kernel) rootkit, and the rootkit is 'unknown' the skill of your attacker is beginner to intermediate.

How your attacker gained access cannot be determined by the rootkit deployed, except under circumstances when it is an identifiable rootkit used exclusively with a worm or auto-rooter.

The best thing you can do when you've been hacked is to power-off the server without touching the keyboard or logging in. The reason for this is to preserve evidence where possible. It is best to then 'dd' (use 'man dd' for more info) to copy the harddisk images and then examine them offline. If however you are able to login to the server without adjusting wtmp or utmp (i.e. you overflow to get a shell) then you are in a 'better' position to recover the memory contents (which you would lose had you simply powered down the server).

The leading opensource software to deal with intrusions like this are The Coroners Toolkit (http://www.fish.com/tct/). Atstake have produced two opensource software packages to be used with TCT, they are: 1] The @stake Sleuth Kit (TASK) (http://www.atstake.com/research/tools/task) 2] The Autopsy Forensic Browser (http://www.atstake.com/research/tools/autopsy/).

The ChkRootkit project will detect 'known' rootkits (http://www.chkrootkit.org/)

> According to an rpm -V, all kinds of binaries have been changed: ps,
ps & top were modified to hide processes, netstat to hide network connections, and ifconfig to hide PROMISC mode. At least this is true for most rootkits.

Could you please send the modified binaries to the list, and if possible make disk images of the hacked server available, ala the honeypot project.

Do you need help?

On 20 Dec 2002 14:11:31 -0700
Gordon Chamberlin <glac@visualize.com> wrote:

> I found suspicious looking files on a Redhat 7.1 Linux server earlier

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 23 12:28:02 2002

This message: [ Message body ]
Next message: securitynotice(at)cronus.cnicinc.com: "strange traffic"
Previous message: Bojan Zdrnja: "RE: hpd, afb, sc, and sn"
In reply to Gordon Chamberlin: "hpd, afb, sc, and sn"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT