[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Running Rootkit and the result

hello Robbert
im in this position now after having had a t0rn rootkit installed and ssh
activated - admin control panel wrecked and lockedo ut of our server.
below are the ramblings im working through. t0rn seems to have many different
'roll your owns' so to speak.
search on google for - t0rn rootkit recovery' no particular url stands out but 
lots of info. not just the files they create but system binaries that can be
wrecked.


ok intruder is locked out
scan 27370-27380 - ports commonly used to output pswrdz etc to china
- ok all closed good

checking common binarys that t0rn etc like changing

/etc/hosts.deny - ok 
/usr/bin/du - ok
/usr/bin/find - ok
lib files - think ok
/usr/sbin/in.telnetd - ok
in.fingered not here - ok
/bin/ls - ok
/bin/ps -ok
/usr/bin/pstree - ok
/usr/bin/top - ok

--check /bin/su


/sbin/ifconfig - 18 june
/bin/login - 11 june
/bin/netstat 18 june
/etc/ttyhash - 15 june

-------check for new binaries-------------

mjy - for cleaning out log files 
not in /bin or /usr/man
tfn - not in /bin or /usr
- ok good

/usr/info/.t0rn
holding intruders  ssh keys  ->shdcf shhk shhk.pub shrs

/usr/src/.puta
t0rnp - aug 21 - thisd is a log parser
torns - aug 23 - this is a sniffer
t0rnsb - sept 9th - log cleaner

- to do grab above stuf and delete

 lotta ssh stuff in
/usr/local/bin -ssh-dummy shell
------------------------------------------------------------------------
b w gerald y

On Sun, 01 Jul 2001, you wrote:
> Hello All
> 
> I runned rootkit and i got:
>     Searching for t0rn's default files and dirs... Possible t0rn rootkit
> installed
> What do i do to remove?
> 
> Robson
> 
> 
> 
> ----- Original Message -----
> From: "Robbert Hamburg" <rhamburg@xxxxxx>
> To: <cobalt-security@xxxxxxxxxxxxxxx>
> Sent: Saturday, June 30, 2001 9:27 AM
> Subject: [cobalt-security] Running Rootkit and the result
> 
> 
> > Last night I ran chkrootkit-0.33 for the first time after the hints bill
> > irwin gave.
> >
> > >One of
> > >the best things you can do is grab the chkrootkit.tar.gz file
> > >ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz and check your
> > >system out.
> >
> > >tar -xvzf chkrootkit.tar.gz
> > >cd into the directory
> > >chmod 755 chkrootkit
> > >./chkrootkit and let it run.
> >
> > There was one result making me suspisous can someone please clarify the
> > rules below:
> >
> > Searching for Ambient's rootkit (ark) default files and dirs... Nothing
> > found
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/perl5/5.00503/i386-linux/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
> > /usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
> >
> >
> > The rest of the result came out as nothing found or Not vulnerable. Only
> the
> > lines above I don't really understand.
> >
> > Please help me out !
> >
> > Robbert
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
-- 
Gerald Young    www.coolcat.net
 www.coolcoach.net - THE HOTTEST WAY TO LEARN -
-------------------------------------------------------------
Localhost: 10:23am  up 14:27,  3 users,  load average: 0.37, 0.10, 0.03
    Server:  5:47pm  up 343 days,  1:09,  1 user,  load average: 0.08, 0.02, 0.01

Word .doc's not accepted and automatically deleted