Re: [cobalt-security] amd root?

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Jeff,

> On one customer system chkrootkit is reporting "amd" and "syslogd" are
> both infected.

This could be the LRK4 rootkit - among others: 

http://project.honeynet.org/challenge/results/submissions/addam/toolkit.txt

However, if so, then CHKrootkit should find and identify it correctly, if I'm 
not mistaken.

Jeff, I gather you're quite experienced in regards to Cobalts. 

Did you recently stumble across any RaQ3 or RaQ4 which had /etc/shadow set to 
-r--------?

Just today I had the third RaQ with the same signs and indications and I've 
heard about two others with the same issue. 

Of the tree machines I was asked to look after two were RaQ3's, the other one 
was a RaQ4. 

The modifications include a loadable kernel module which prevents "root" from 
modifying certain files and folders. In /etc there is the hacker executable 
nscd which is launched by an entry in /etc/rc.sysinit. Removal of /etc/nscd 
instantly "walls": "System is going down for reboot" to all users and a 
reboot is initiated. That can of course be stopped with "/sbin/init 3".

However, the LKM and the permissions on /etc/shadown make this a tough nut to 
fix. The replaced system binaries include only netstat, ps, top and ifconfig. 

While trying to find out how the hackers ot in I'm kinda banging my head 
against a wall, too. All machines seem to have all patches (one RaQ3 was 
missing the latest Kernel patch) and all had the most recent SSH package 
installed and had Telnet off. 

At least the customers claim that all patches had been installed in time. If  
they're telling the truth, then this could get nasty.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer