[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Cracker tools found on a RaQ 4
- Subject: [cobalt-security] Cracker tools found on a RaQ 4
- From: Bruce Timberlake <bruce@xxxxxxxxxx>
- Date: Fri, 21 Feb 2003 16:47:48 -0800
- Organization: BRTNet.org
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doing some work for a client, and found a set of tools called 'vanish'
in /dev/.tty1. Looking at the source code shows this:
/*********************************************************************
Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog,
maillog, *
* warn, mail, httpd.access_log, httpd.error_log. Use your brain, check
your*
* logs and edit accordingly
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
****************************************************************************
* Warning!! This programm is for educational purpouse only! I am not
*
* responsible to anything you do with this
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
****************************************************************************
* Code written for Unix like systems! Tested on SuSE-Linux 6.2 !
*
* Compile like: gcc vanish.c -o vanish
*
***************************************************************************/
It needs access to the compiler to work.
I found this by running a search for all programs without a valid
owner on the system:
find / -nouser -o -nogroup -exec ls -lF {} \;
Here's what the directory and filenames look like (sorry for the bogus
wrapping):
drwxr-xr-x 5 1471 1471 1024 Oct 29 13:32 sk-1.3a/
- -rw-r--r-- 1 root 500 45051 Jul 7 2002 sk-1.3a.tar.gz
- -rwxr-xr-x 1 root 500 17433 Oct 29 13:31 van*
- -rw-r--r-- 1 root 500 6195 Feb 15 2000 vanish.c
- -rw-r--r-- 1 root 500 45051 Jul 7 2002
/dev/.tty1/sk-1.3a.tar.gz
- -rw-r--r-- 1 root 500 6195 Feb 15 2000
/dev/.tty1/vanish.c
- -rwxr-xr-x 1 root 500 17433 Oct 29 13:31
/dev/.tty1/van*
- -rw-r--r-- 1 root 500 217 Oct 29 13:32
/dev/.tty1/sk-1.3a/include/config.h
- -rw-r--r-- 1 root 500 7236 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/sha1.o
- -rw-r--r-- 1 root 500 1904 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/crypto.o
- -rwxr-xr-x 1 root 500 12224 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/pass*
- -rwxr-xr-x 1 root 500 16864 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/login*
- -rw-r--r-- 1 root 500 5908 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/backdoor.o
- -rw-r--r-- 1 root 500 2820 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/client.o
- -rw-r--r-- 1 root 500 2976 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/install.o
- -rw-r--r-- 1 root 500 51505 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/kernel.s
- -rw-r--r-- 1 root 500 11548 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/kernel.o
- -rw-r--r-- 1 root 500 1108 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/kmem.o
- -rw-r--r-- 1 root 500 1084 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/lib.o
- -rw-r--r-- 1 root 500 2580 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/main.o
- -rw-r--r-- 1 root 500 1708 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/pattern.o
- -rw-r--r-- 1 root 500 7504 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/printf.o
- -rwxr-xr-x 1 root 500 29816 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/sk*
- -rwxr-xr-x 1 root 500 3388 Oct 29 13:32
/dev/.tty1/sk-1.3a/src/bin2oct*
- -rwxr-xr-x 1 root 500 16864 Oct 29 13:32
/dev/.tty1/sk-1.3a/login*
- -rwxr-xr-x 1 root 500 29816 Oct 29 13:32
/dev/.tty1/sk-1.3a/sk*
- -rw-r--r-- 1 root 500 61671 Oct 29 13:32
/dev/.tty1/sk-1.3a/inst
Also you might want to run a check for all setuid files and see if
anything suspicious appears:
find / -type f -perm +6000 -exec ls -lF {} \;
I'm sending the info to the chkrootkit folks for (hopeful) inclusion
in the next chkrootkit update...
- --
Bruce Timberlake
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+Vsi1vLA2hUZ9kgwRAgQYAJ99LeNkO6VWTkGuFf1dpKNrhH4KcQCdG6Un
YVROLdY7ILWSW/8lRA/lInY=
=nLUl
-----END PGP SIGNATURE-----