Is this a compromise and how?

From: brian@worldcontrol.com
Date: Thu Dec 14 2000 - 03:53:46 EST

Next message: Matthew Dharm: "Re: Is this a compromise and how?"
Previous message: Mircea Damian: "do NOT compile 2.2.18 with egcs-1.1.2"
Next in thread: Matthew Dharm: "Re: Is this a compromise and how?"
Reply: Matthew Dharm: "Re: Is this a compromise and how?"
Reply: Igmar Palsenberg: "Re: Is this a compromise and how?"
Reply: Dr. Kelsey Hudson: "Re: Is this a compromise and how?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry is this is too far off topic, but it seems to me the
kernel may be helping in this break in or maybe some magic
aspect of the filesystem.

I noted in an ls that

-rwxr-xr-x 1 root root 36784 Jul 17 05:06 rpc.mountd*
-rwxr-xr-x 1 root root 3368 Jul 17 05:06 rpc.nfsd*
-rwxr-xr-x 1 root ftp 22 Sep 8 22:15 rpc.rcmd*
-rwxr-xr-x 1 root root 9872 Jul 17 05:06 rpc.rquotad*
-rwxr-xr-x 1 root root 13936 Feb 9 2000 rpc.rstatd*
-rwxr-xr-x 1 root root 7952 Feb 9 2000 rpc.rusersd*
-rwxr-xr-x 1 root root 6512 Feb 11 2000 rpc.rwalld*
-rwxr-xr-x 1 root root 17624 Mar 7 2000 rpc.yppasswdd*
-rwxr-xr-x 1 root root 23984 Mar 7 2000 rpc.ypxfrd*
-rwxr-xr-x 1 root root 10692 Sep 5 16:03 rpcinfo*

rpc.rcmd look a little suspicious?

And guess what it contains?

%cat /usr/sbin/rpc.rcmd
/usr/include/strlib.h

Hmmmm.

%ls -l /usr/include/strlib.h
-rwxr-xr-x 1 root root 16768 Sep 16 09:55 /usr/include/strlib.h*

%file /usr/include/strlib.h
/usr/include/strlib.h: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped

%/usr/include/strlib.h
bind: Address already in use

Now watch this magic trick:

%mkdir foo
%cd foo
%touch strlib.h
%ls
%find . -print
.
./strlib.h
%

Get it? strlib.h never appears in the file system via ls whereever
it may be created.

More fun:

%echo hello >strlib.h
%ls
%cat strlib.h
hello
%

Pretty cool huh?

Let me know if you would like a copy of the code.

A quick strace shows that it binds to port 24000.

It also contains a list of 5 IP addrs. I suspect it doesn't
broadcast, but allows people in from those IPs.

Anyone know what has happened? I religiously install the redhat
updates, and am subscribed to the CERT advistors and install
the fixes the moment I get them.

The system was RedHat 6.2, linux 2.2.17pre14 at the time the
breakin occured.

I've been running firewalled with only services I provide turned
on for access, and in /etc/inetd.conf.

What is keeping strlib.h from appearing ls's? A hacked ls command?

-- Brian Litzinger <brian@worldcontrol.com>

Copyright (c) 2000 By Brian Litzinger, All Rights Reserved - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/

Next message: Matthew Dharm: "Re: Is this a compromise and how?"
Previous message: Mircea Damian: "do NOT compile 2.2.18 with egcs-1.1.2"
Next in thread: Matthew Dharm: "Re: Is this a compromise and how?"
Reply: Matthew Dharm: "Re: Is this a compromise and how?"
Reply: Igmar Palsenberg: "Re: Is this a compromise and how?"
Reply: Dr. Kelsey Hudson: "Re: Is this a compromise and how?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Dec 15 2000 - 21:00:28 EST