Found, a new rootkit

Gene Heskett gene.heskett at verizon.net
Fri Mar 31 18:02:41 UTC 2006


Greetings folks;

In doing some checking of a web server, we found an irc port open on 
31377, one of the black hatters favorites.  A port that portsentry was 
supposed to be rejecting but wasn't.

We stumbled over several items over the last few days, but the most 
obvious one was a directory called .sk, located in /usr/share/misc.

Its payload seemed fairly simple, to make an underground irc chat server 
out of the box.

It does this with a shell script that echos several kilobytes of octal 
strings to gzip in the unpack mode > to a file in the local directory 
called .sk, and it contains a login replacement also.  We did not find 
that login was the one installed however.  Which may be a clue that 
theres even more smoke in this camp than what we've found yet.

The execution installs it by cp .sk /usr/bin/apmd, but puts it 
in /usr/bin as opposed to the real apmd's location of /usr/sbin, and 
adds a starter line so its enabled on boot to something we haven't 
found yet.  It also appears to start a third instance of portsentry 
somehow.

We've cut our bandwidth use in half by getting rid of that.  We also 
checked the logs and added several dozen more addresses 
to /etc/hosts.deny, including many script based password guess attempts 
that didn't get in.  And put portsentry in its most paranoid anal mode 
with a few additions yet.

Just thought everybody would like to know about this bit of black hat 
tomfoolery.

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.




More information about the fedora-list mailing list