############################################################################################# #### #### #### BEGINING OF FILES THAT EXIST IN honeypot AND DO NOT EXIST IN fresh62 #### #### #### ############################################################################################# This is the list of files that exist in honeypot and NOT in a fresh Red Hat 6.2 instalation. drwxr-xr-x 2 root root 12288 Nov 5 01:55 ./boot/lost+found drwxr-xr-x 2 root root 16384 Nov 5 01:55 ./home/lost+found - Without interest. Both directories were mountpoints in honeypot. drwx------ 2 david david 4096 Nov 8 15:59 ./home/drosen -rwxr-xr-x 1 david david 333 Nov 5 02:05 ./home/drosen/.emacs -rw-r--r-- 1 david david 24 Nov 5 02:05 ./home/drosen/.bash_logout -rw-r--r-- 1 david david 230 Nov 5 02:05 ./home/drosen/.bash_profile -rw-r--r-- 1 david david 124 Nov 5 02:05 ./home/drosen/.bashrc -rw-r--r-- 1 david david 3394 Nov 5 02:05 ./home/drosen/.screenrc -rw------- 1 david david 52 Nov 8 15:59 ./home/drosen/.bash_history - The file .bash_history holds the commands typed by user drosen (last of which seems to have taken place at 15:59 Nov 8). The rest are uninteresting initialization files. ------------------------------------------------------------------ gunzip * tar -xvf * rm tpack* cd " " ./install exit ------------------------------------------------------------------ See that he decompressed and extracted some files. Then removed all files starting with "tpack" (probably "tpack_something.tar"). Then went into a directory called " " (white space) and run a "install" program from there. All that was around Nov 8 16:00. drwxr-xr-x 2 root root 16384 Nov 5 01:55 ./usr/lost+found - Without interest. Again, /usr was a mountpoint in honeypot. drwxr-xr-x 2 root root 4096 Nov 8 15:52 ./usr/doc/screen-3.9.4 -rw-r--r-- 1 root root 14081 Oct 20 1999 ./usr/doc/screen-3.9.4/FAQ -rw-r--r-- 1 root root 3619 Jul 15 1999 ./usr/doc/screen-3.9.4/NEWS -rw-r--r-- 1 root root 3437 Oct 9 1995 ./usr/doc/screen-3.9.4/README -rw-r--r-- 1 root root 6447 Oct 20 1999 ./usr/doc/screen-3.9.4/README.DOTSCREEN - Documents of the screen-3.9.4-3 package. In the default RH62 server instalation it is screen-3.9.5-4 who gets installed. - NOTE: This is the difference in installed packages between honeypot and a our fresh RH62 default server instalation (from /var/lib/rpm/packages.rpm): ------------------------------------------------------------------ fresh62 honeypot ======= ======== - am-utils-6.0.1s11-1.6.0 lpr-0.50-4 lpr-0.48-1 make-3.78.1-4 make-3.77-6 nfs-utils-0.1.6-2 nfs-utils-0.1.9.1-1 screen-3.9.5-4 screen-3.9.4-3 telnet-0.16-6 telnet-0.10-29 wu-ftpd-2.6.0-3 wu-ftpd-2.6.0-14.6x ypserv-1.3.9-3 ypserv-1.3.9-1 ------------------------------------------------------------------ The main reason for that is that the intruder installed these packages. See the following extract from a query on the install date of every package on honeypot (in order of installation) ------------------------------------------------------------------ ... Sun 05 Nov 2000 02:04:44 AM CET wvdial-1.41-3 Sun 05 Nov 2000 02:04:45 AM CET yp-tools-2.4-1 Sun 05 Nov 2000 02:04:45 AM CET ypbind-3.3-28 Sun 05 Nov 2000 02:04:46 AM CET zlib-1.1.3-6 Sun 05 Nov 2000 02:04:48 AM CET zlib-devel-1.1.3-6 [ blank lines added for separation ] Wed 08 Nov 2000 03:52:26 PM CET am-utils-6.0.1s11-1.6.0 Wed 08 Nov 2000 03:52:32 PM CET lpr-0.48-1 Wed 08 Nov 2000 03:52:32 PM CET make-3.77-6 Wed 08 Nov 2000 03:52:33 PM CET screen-3.9.4-3 Wed 08 Nov 2000 03:52:33 PM CET telnet-0.10-29 Wed 08 Nov 2000 03:52:33 PM CET ypserv-1.3.9-1 Wed 08 Nov 2000 03:53:41 PM CET wu-ftpd-2.6.0-14.6x Wed 08 Nov 2000 03:53:49 PM CET nfs-utils-0.1.9.1-1 ------------------------------------------------------------------ We see that all packages were installed in one of two dates: 5th Nov (the day honeypot was installed) and 8th Nov (the day the intruder got into the system). Note the time is expressed in CET (my time zone) but that isn't a problem. Simply take it into account if comparing with honeypot or snort logs. drwxr-xr-x 2 root root 4096 Nov 8 15:52 ./usr/doc/am-utils-6.0.1s11 -rw-r--r-- 1 root root 9084 Aug 22 1999 ./usr/doc/am-utils-6.0.1s11/AUTHORS -rw-r--r-- 1 root root 3933 Jan 13 1999 ./usr/doc/am-utils-6.0.1s11/BUGS -rw-r--r-- 1 root root 147946 Aug 24 1999 ./usr/doc/am-utils-6.0.1s11/ChangeLog -rw-r--r-- 1 root root 23786 Dec 27 1998 ./usr/doc/am-utils-6.0.1s11/NEWS -rw-r--r-- 1 root root 3817 Dec 27 1998 ./usr/doc/am-utils-6.0.1s11/README -rw-r--r-- 1 root root 4113 Nov 5 1998 ./usr/doc/am-utils-6.0.1s11/README.autofs -rw-r--r-- 1 root root 1225 Mar 30 1999 ./usr/doc/am-utils-6.0.1s11/README.y2k -rw-r--r-- 1 root root 621985 Aug 24 1999 ./usr/doc/am-utils-6.0.1s11/am-utils.ps -rw-r--r-- 1 root root 3201 Nov 5 1998 ./usr/doc/am-utils-6.0.1s11/amd.conf-sample -rw-r--r-- 1 root root 189318 Nov 5 1998 ./usr/doc/am-utils-6.0.1s11/hlfsd.ps -rw-r--r-- 1 root root 3006 Nov 5 1998 ./usr/doc/am-utils-6.0.1s11/lostaltmail.conf-sample - Documents of the am-utils-6.0.1s11-1.6.0 package (automounter utilities). This package is not installed in a default RH62 server instalation. drwxr-xr-x 2 root root 4096 Nov 8 15:52 ./usr/doc/make-3.77 -rw-r--r-- 1 root root 26571 Jul 25 1998 ./usr/doc/make-3.77/NEWS -r--r--r-- 1 root root 2141 Jul 30 1998 ./usr/doc/make-3.77/README - Documents of the make-3.77-6 package. In the default RH62 server it is make-3.78.1-4 that gets installed. Downgraded by the intruder. drwxr-xr-x 2 root root 4096 Nov 8 15:53 ./usr/doc/nfs-utils-0.1.9.1 -rw-r--r-- 1 root root 2397 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/ChangeLog -rw-r--r-- 1 root root 563 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/INSTALL -rw-r--r-- 1 root root 1058 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/KNOWNBUGS -rw-r--r-- 1 root root 10337 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/NEW -rw-r--r-- 1 root root 2305 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/README -rw-r--r-- 1 root root 291 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/THANKS -rw-r--r-- 1 root root 4517 Oct 19 1999 ./usr/doc/nfs-utils-0.1.9.1/TODO -rw-r--r-- 1 root root 3882 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/index.html -rw-r--r-- 1 root root 3882 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/nfs.html -rw-r--r-- 1 root root 186037 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/nfs.ps -rw-r--r-- 1 root root 2626 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node1.html -rw-r--r-- 1 root root 3254 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node10.html -rw-r--r-- 1 root root 4615 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node11.html -rw-r--r-- 1 root root 3479 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node12.html -rw-r--r-- 1 root root 2432 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node13.html -rw-r--r-- 1 root root 6807 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node14.html -rw-r--r-- 1 root root 7418 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node15.html -rw-r--r-- 1 root root 8743 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node16.html -rw-r--r-- 1 root root 2064 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node17.html -rw-r--r-- 1 root root 2786 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node18.html -rw-r--r-- 1 root root 2165 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node19.html -rw-r--r-- 1 root root 2399 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node2.html -rw-r--r-- 1 root root 1989 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node20.html -rw-r--r-- 1 root root 2291 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node21.html -rw-r--r-- 1 root root 13506 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node22.html -rw-r--r-- 1 root root 13490 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node23.html -rw-r--r-- 1 root root 15226 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node24.html -rw-r--r-- 1 root root 2377 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node25.html -rw-r--r-- 1 root root 15230 Jun 23 1999 ./usr/doc/nfs-utils-0.1.9.1/node26.html -rw-r--r-- 1 root root 2377 Jun 23 1999 ./usr/doc/nfs-utils-0.1.9.1/node27.html -rw-r--r-- 1 root root 2903 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node3.html -rw-r--r-- 1 root root 3966 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node4.html -rw-r--r-- 1 root root 2623 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node5.html -rw-r--r-- 1 root root 4444 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node6.html -rw-r--r-- 1 root root 4157 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node7.html -rw-r--r-- 1 root root 3989 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node8.html -rw-r--r-- 1 root root 2756 Aug 15 1999 ./usr/doc/nfs-utils-0.1.9.1/node9.html - Documents of the nfs-utils-0.1.9.1-1 package. In the default RH62 server instalation it is nfs-utils-0.1.6-2 the one that gets installed. Upgraded by the intruder. lrwxrwxrwx 1 root root 8 Nov 5 01:59 ./usr/lib/groff/tmac/tmac.gmse -> tmac.mse -rw-r--r-- 1 root root 0 Nov 8 11:02 ./usr/lib/perl5/man/whatis lrwxrwxrwx 1 root root 11 Nov 5 02:01 ./usr/lib/libgif.so -> libgif.so.4 lrwxrwxrwx 1 root root 17 Nov 5 02:01 ./usr/lib/libungif.so -> libungif.so.4.1.0 lrwxrwxrwx 1 root root 15 Nov 8 15:52 ./usr/lib/libamu.so -> libamu.so.2.1.1 lrwxrwxrwx 1 root root 15 Nov 8 15:52 ./usr/lib/libamu.so.2 -> libamu.so.2.1.1 -rwxr-xr-x 1 root root 40370 Aug 30 1999 ./usr/lib/libamu.so.2.1.1 - Libraries. Installed Nov 5th (that's when the system was installed) and 8th (when the intruder was around) -rw-r--r-- 1 root root 7598 Apr 15 1999 ./usr/man/man1/make.1 -rw-r--r-- 1 root root 129824 Oct 20 1999 ./usr/man/man1/screen.1 -rw-r--r-- 1 root root 32150 Aug 18 1999 ./usr/man/man1/telnet.1 -rw-r--r-- 1 root root 3026 Aug 30 1999 ./usr/man/man1/pawd.1 -rwxr-xr-x 1 root root 4650 Jan 6 2000 ./usr/man/man1/lpq.1 -rw-r--r-- 1 root root 7458 Jan 6 2000 ./usr/man/man1/lpr.1 -rw-r--r-- 1 root root 4633 Jan 6 2000 ./usr/man/man1/lprm.1 -rw-r--r-- 1 root root 2861 Jan 6 2000 ./usr/man/man1/lptest.1 -rw-r--r-- 1 root root 1002 Aug 18 1999 ./usr/man/man5/issue.net.5 -rw-r--r-- 1 root root 19031 Aug 30 1999 ./usr/man/man5/amd.conf.5 -rw-r--r-- 1 root root 7845 Jan 6 2000 ./usr/man/man5/printcap.5 -rw-r--r-- 1 root root 1914 Oct 27 1999 ./usr/man/man5/netgroup.5 -rw-r--r-- 1 root root 2739 Oct 27 1999 ./usr/man/man5/ypserv.conf.5 -rw-r--r-- 1 root root 12823 Aug 18 1999 ./usr/man/man8/in.telnetd.8 lrwxrwxrwx 1 root root 12 Nov 8 15:52 ./usr/man/man8/telnetd.8 -> in.telnetd.8 -rw-r--r-- 1 root root 376 Jul 17 2000 ./usr/man/man8/lockd.8.gz -rw-r--r-- 1 root root 341 Jul 17 2000 ./usr/man/man8/nhfsgraph.8.gz -rw-r--r-- 1 root root 332 Jul 17 2000 ./usr/man/man8/nhfsnums.8.gz -rw-r--r-- 1 root root 235 Jul 17 2000 ./usr/man/man8/nhfsrun.8.gz -rw-r--r-- 1 root root 4030 Jul 17 2000 ./usr/man/man8/nhfsstone.8.gz lrwxrwxrwx 1 root root 10 Nov 8 15:53 ./usr/man/man8/rpc.lockd.8.gz -> lockd.8.gz -rw-r--r-- 1 root root 10003 Aug 30 1999 ./usr/man/man8/amd.8 -rw-r--r-- 1 root root 6318 Aug 30 1999 ./usr/man/man8/amq.8 -rw-r--r-- 1 root root 3784 Aug 30 1999 ./usr/man/man8/automount2amd.8 -rw-r--r-- 1 root root 5453 Aug 30 1999 ./usr/man/man8/fixmount.8 -rw-r--r-- 1 root root 2818 Aug 30 1999 ./usr/man/man8/fsinfo.8 -rw-r--r-- 1 root root 9641 Aug 30 1999 ./usr/man/man8/hlfsd.8 -rw-r--r-- 1 root root 2571 Aug 30 1999 ./usr/man/man8/mk-amd-map.8 -rw-r--r-- 1 root root 2806 Aug 30 1999 ./usr/man/man8/wire-test.8 -rw-r--r-- 1 root root 5907 Jan 6 2000 ./usr/man/man8/lpc.8 -rw-r--r-- 1 root root 7422 Jan 6 2000 ./usr/man/man8/lpd.8echo ftp://rpmfind.net/linux/SuSE-Linux/i386/6.3/suse/ap1/pico.rpm echo . echo ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5.tar.gz -rw-r--r-- 1 root root 3857 Jan 6 2000 ./usr/man/man8/pac.8 -rw-r--r-- 1 root root 2112 Oct 27 1999 ./usr/man/man8/makedbm.8 -rw-r--r-- 1 root root 2492 Oct 27 1999 ./usr/man/man8/mknetid.8 -rw-r--r-- 1 root root 678 Oct 27 1999 ./usr/man/man8/pwupdate.8 -rw-r--r-- 1 root root 592 Oct 27 1999 ./usr/man/man8/revnetgroup.8 -rw-r--r-- 1 root root 6962 Oct 27 1999 ./usr/man/man8/rpc.yppasswdd.8 -rw-r--r-- 1 root root 4004 Oct 27 1999 ./usr/man/man8/rpc.ypxfrd.8 -rw-r--r-- 1 root root 1593 Oct 27 1999 ./usr/man/man8/ypinit.8 -rw-r--r-- 1 root root 25 Oct 27 1999 ./usr/man/man8/yppasswdd.8 -rw-r--r-- 1 root root 2830 Oct 27 1999 ./usr/man/man8/yppush.8 -rw-r--r-- 1 root root 4886 Oct 27 1999 ./usr/man/man8/ypserv.8 -rw-r--r-- 1 root root 4320 Oct 27 1999 ./usr/man/man8/ypxfr.8 -rw-r--r-- 1 root root 22 Oct 27 1999 ./usr/man/man8/ypxfrd.8 - Not interesting. Man pages of products that were added. -rw-r--r-- 1 root root 0 Nov 8 11:02 ./usr/man/whatis - Empty file. Not relevant. -rw-r--r-- 1 root root 58 Nov 8 15:52 ./usr/man/p - It is an ASCII file with the following contents: ------------------------------------------------------------------ 2 slice2 2 snif 2 pscan 2 imp 3 qd 2 bs.shecho ftp://rpmfind.net/linux/SuSE-Linux/i386/6.3/suse/ap1/pico.rpm echo . echo ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5.tar.gz 3 nn 3 egg.lin ------------------------------------------------------------------ - Looks like a configuration file for a trojan "ps" or similar that would hide these program names from its output. Probably this is simply a template that came with a rootkit. drwxr-xr-x 6 1010 users 4096 Nov 8 15:56 ./usr/man/.Ci - This directory contains lots of stuff from the intruder. -rwxr-xr-x 1 1010 users 7229 Jun 3 2000 ./usr/man/.Ci/snif - snif: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped Extract from the strings output: ------------------------------------------------------------------ ... cant set promiscuous mode ... sniff.pid eth0 tcp.log ... ------------------------------------------------------------------ Obviously a sniffer that seems to save its output in a file called "tcp.log". There is a file called tcp.log in this directory but it is empty. -rwxr-xr-x 1 1010 users 714 Jun 3 2000 ./usr/man/.Ci/a.sh - A shell script with the following contents: ------------------------------------------------------------------ rm -rf /usr/sbin/rpc.* /usr/sbin/smbd /usr/sbin/portmap rm -rf /usr/sbin/nmbd /usr/sbin/ypserv /usr/sbin/snmpd rm -rf /sbin/rpc.statd /usr/sbin/atd /usr/sbin/rpc.rquotad rm -rf /usr/sbin/lockd /sbin/lockd rm -rf /usr/sbin/nfsd /usr/bin/nfsd rm -rf /usr/sbin/rpciod /usr/bin/rpciod rm -rf /usr/sbin/smbd /usr/bin/smbd rm -rf /usr/sbin/nmbd /usr/bin/nmbd rm -rf /usr/sbin/apmd /usr/bin/apmd rm -rf /usr/sbin/amd /usr/bin/amd rm -rf /usr/sbin/amq /usr/bin/amq killall -9 rpc.statd rpc.rquoatd atd nfsd killall -9 lockd rpciod smbd nmbd killall -9 amd apmd amq killall -9 rpc.mountd rpc.portmap rpc.nfsd smbd portmap killall -9 nmbd snmpd ypasswd rpc.rusersd killall -9 ypserv echo "complete." ------------------------------------------------------------------ If executed it would remove several nfs, samba, automounter and RPC daemons and commands and kill their running versions. -rwxr-xr-x 1 1010 users 5324 Jun 3 2000 ./usr/man/.Ci/sp.pl - Perl script (auto-explicative) ------------------------------------------------------------------ #!/usr/bin/perl # Sorts the output from LinSniffer 0.03 [BETA] by Mike Edulla ... [omitted] ------------------------------------------------------------------ -rwxr-xr-x 1 1010 users 132785 Jun 3 2000 ./usr/man/.Ci/qs - qs: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped From the strings output: ------------------------------------------------------------------ %s - remote server control for Q by Mixter usage: %s [-p] [-niasd] <-CSB> [more hosts...] -p shell/bouncer server listening port -n insecure plaintext servers [encrypted] -i protocol (I/U/T) [random] -a custom auth token [hardcoded] -s source IP [random] -S spawn qshell server -B spawn qbounce to -C execute -P set a new program as remote shell -U set a new user id for redirecting ------------------------------------------------------------------ This is a Q server. The client's name is simply "q" which can be found below in this sam directory. The following description can be found at http://packetstorm.securify.com/groups/mixter --- Q v2.0 is a client / server backdoor which features remote shell access with strong encryption for root and normal users, and a encrypted on-demand tcp relay/bouncer that supports encrypted sessions with normal clients using the included tunneling daemon. Also has stealth features like activation via raw packets, syslog spoofing, and single on-demand sessions with variable ports. Changes: Security enhancments, easier usage, and better encryption. --- -rwxr-xr-x 1 1010 users 350996 Jun 3 2000 ./usr/man/.Ci/syslogd - syslogd: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped Trojan version of syslogd. From strings output: ------------------------------------------------------------------ ... /usr/man/.l ... usage: syslogd [-drvh] [-l hostlist] [-m markinterval] [-n] [-p path] [-s domainlist] [-f conffile] ... ------------------------------------------------------------------ Never the less it did not replace the real /sbin/syslogd (same md5sum of /sbin/syslogd in honeypot and fresh62). And the file "/usr/man/.l" does not exist. May be the intruder replaced it and later on put it back in place and removed the file /usr/man/.l (which is probably meant to be a confiuration file with the list of things to hide). -rwxr-xr-x 1 1010 users 147900 Jun 3 2000 ./usr/man/.Ci/inetd - inetd: ELF 32-bit LSB executable, Intel 80386, version 1, statically linked, stripped Trojan version of inetd. It did not replace the original inetd (or it was restored afterwards). May be it was executed from here. -rwxr-xr-x 1 1010 users 698 Jun 3 2000 ./usr/man/.Ci/clean - Shell script with the following contents: ------------------------------------------------------------------ echo "echoing ip's and shit" echo "sshd" >> .temp1 echo "log" >> .temp2 echo "games" >> .temp3 echo "209.86" >> .temp4 echo "own" >> .temp5 echo "owned" >> .temp6 echo "Pro" >> .temp7 echo "snif" >> .temp8 echo "ident" >> .temp9 echo "splitrock" >> .temp10 echo "209.255" >> .temp11 echo "echo" >> .temp12 echo "snap'ping" cat .temp1|./snap $1 cat .temp2|./snap $1 cat .temp3|./snap $1 cat .temp4|./snap $1 cat .temp5|./snap $1 cat .temp6|./snap $1 cat .temp7|./snap $1 cat .temp8|./snap $1 cat .temp9|./snap $1 cat .temp10|./snap $1 cat .temp11|./snap $1 cat .temp12|./snap $1 echo "done" rm -rf .temp1 .temp2 .temp3 .temp4 rm -rf .temp5 .temp6 .temp7 .temp8 rm -rf .temp9 .temp10 .temp11 .temp12 ------------------------------------------------------------------ It passes several strings to "./snap" which is a script that removes records that contain those strings in log files. drwxr-xr-x 9 1010 users 4096 Aug 22 04:31 ./usr/man/.Ci/scan - Under this directory the intruder holds a series of scanners/exploits for some known vulnerabilities. echo ftp://rpmfind.net/linux/SuSE-Linux/i386/6.3/suse/ap1/pico.rpm echo . echo ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5.tar.gz drwxr-xr-x 2 1010 users 4096 Jun 2 2000 ./usr/man/.Ci/scan/amd -rwxr-xr-x 1 1010 users 12716 Jun 2 2000 ./usr/man/.Ci/scan/amd/amdx -rwxr-xr-x 1 1010 users 1455 Jun 2 2000 ./usr/man/.Ci/scan/amd/ben.c -rwxr-xr-x 1 1010 users 13023 Jun 2 2000 ./usr/man/.Ci/scan/amd/ben -rwxr-xr-x 1 1010 users 15667 Jun 2 2000 ./usr/man/.Ci/scan/amd/pscan -rwxr-xr-x 1 1010 users 4442 Jun 2 2000 ./usr/man/.Ci/scan/amd/pscan.c -rwxr-xr-x 1 1010 users 114 Jun 2 2000 ./usr/man/.Ci/scan/amd/a.sh - Exploit for the amd buffer overflow vulnerability. "amdx" is the actual exploit. "pscan" is a port scanner and "ben" checks for the availability of RPC 300019 in the target host. See: http://www.cert.org/advisories/CA-1999-12.html drwxr-xr-x 2 1010 users 4096 Jul 15 2000 ./usr/man/.Ci/scan/bind -rwxr-xr-x 1 1010 users 1760 Jul 15 2000 ./usr/man/.Ci/scan/bind/ibind.sh -rw-r--r-- 1 1010 users 3980 Jul 6 2000 ./usr/man/.Ci/scan/bind/pscan.c - Scanner for BIND 8.2 and specifically 8.2.1 See: http://www.cert.org/advisories/CA-2001-02.html http://www.cert.org/advisories/CA-1999-14.html http://www.redhat.com/support/errata/RHSA-2001-007.html drwxr-xr-x 2 1010 users 4096 Jun 3 2000 ./usr/man/.Ci/scan/x -rwxr-xr-x 1 1010 users 17969 May 31 2000 ./usr/man/.Ci/scan/x/x -rwxr-xr-x 1 1010 users 385 May 31 2000 ./usr/man/.Ci/scan/x/xscan -rwxr-xr-x 1 1010 users 1259 Jun 2 2000 ./usr/man/.Ci/scan/x/xfil -rw-r--r-- 1 1010 users 3980 May 3 2000 ./usr/man/.Ci/scan/x/pscan.c -rwxr-xr-x 1 1010 users 15092 Jun 3 2000 ./usr/man/.Ci/scan/x/pscan - "x" is a keystroke logger for remote X-windows sessions. See from the "strings" output: ------------------------------------------------------------------ ... Scanning hostname %s ... Connecting to %s (%s) on port %d... opening stream socket Connected. Host %s is running X. Host %s is not running X. Cannot open display: %s KEYLOG%s Cannot open output file Starting keyboard logging of host %s to file %s... ... ------------------------------------------------------------------ drwxr-xr-x 2 1010 users 4096 Jul 6 2000 ./usr/man/.Ci/scan/wu -rw-r--r-- 1 1010 users 37760 Jul 6 2000 ./usr/man/.Ci/scan/wu/wu -rw-r--r-- 1 1010 users 26676 Jul 6 2000 ./usr/man/.Ci/scan/wu/fs - "fs" is a scanner that among other things it can identify the OS version of the target. "wu" is a exploit against the setproctitle() vulnerability in wu-ftpd 2.6.0 or earlier. See: http://www.redhat.com/support/errata/RHSA-2000-039.html http://www.cert.org/advisories/CA-2000-13.html drwxr-xr-x 3 1010 users 4096 Jul 16 2000 ./usr/man/.Ci/scan/port drwxr-xr-x 2 1010 users 4096 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe -rw------- 1 1010 users 171 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/INSTALL -rw------- 1 1010 users 1187 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/Makefile -rw------- 1 1010 users 17 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/VERSION -rw------- 1 1010 users 3296 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/strobe.1 -rw------- 1 1010 users 17364 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/strobe.c -rw------- 1 1010 users 39950 Feb 27 1995 ./usr/man/.Ci/scan/port/strobe/strobe.services - "strobe.c" (not yet compiled here) is another (more powerful?) port scanner. It comes with its own man page: ------------------------------------------------------------------ ... NAME strobe - Super optimised TCP port prober SYNOPSIS strobe [ -vVbetnSilfs ] [host1 ... [hostn]] DESCRIPTION strobe locates and describes all listening tcp ports on a (remote) host or on many hosts in a bandwidth utilisation maximising, and process resource minimising manner. ... ------------------------------------------------------------------ drwxr-xr-x 2 1010 users 4096 Aug 9 13:58 ./usr/man/.Ci/scan/daemon -rwxr-xr-x 1 1010 users 12392 Aug 9 13:56 ./usr/man/.Ci/scan/daemon/z0ne -rw------- 1 1010 users 5907 Aug 9 13:56 ./usr/man/.Ci/scan/daemon/lscan2.c - "lscan2.c" is yet another scanner. It can be found at http://mixter.warrior2k.com/ "z0ne" is another scanner, usually part of "mscan". See: http://faqchest.dynhost.com/linux/REDHAT/redhat-98/redhat-9812/redhat-981202/redhat98122402_10739.html drwxr-xr-x 2 1010 users 4096 Aug 22 04:31 ./usr/man/.Ci/scan/statd -rw-r--r-- 1 1010 users 19140 Aug 22 04:28 ./usr/man/.Ci/scan/statd/r -rw-r--r-- 1 1010 users 21800 Aug 22 04:28 ./usr/man/.Ci/scan/statd/statdx -rw-r--r-- 1 1010 users 4390 Aug 22 04:28 ./usr/man/.Ci/scan/statd/classb - "statdx" is a exploit for a format string vulnerability in linux rpc.statd. The source code can be found at: http://archives.neohapsis.com/archives/bugtraq/2000-08/0013.html See also: http://www.cert.org/advisories/CA-2000-17.html "r" is actually "rpcscan", a scanner for rpc services. "classb" is another scanner. -rwxr-xr-x 1 1010 users 3098 Jun 3 2000 ./usr/man/.Ci/snap - "snap" is a shell script that removes any ocurrence of the string passed as a parameter from the following log files: /var/log/secure /var/log/messages /var/log/xferlog /usr/adm/secure /usr/adm/messages /usr/adm/xferlog -rwxr-xr-x 1 1010 users 133344 Jun 3 2000 ./usr/man/.Ci/q - "q" is the client of "qs". See description of file "qs" above. -rwxr-xr-x 1 1010 users 49800 Jun 3 2000 ./usr/man/.Ci/pstree - Trojan version of pstree. It would probably hide the processes named in file /usr/man/.p. From strings: ------------------------------------------------------------------ ... /usr/man/.p ... ------------------------------------------------------------------ That .p configuration file actually existed in honeypot. See its contents below. -rwxr-xr-x 1 1010 users 12495 Jun 3 2000 ./usr/man/.Ci/killall - Trojan version of the killall command. It would probably -not- kill the processes named in file /dev/.oz/p. From strings: ------------------------------------------------------------------ ... /dev/.oz/p ... ------------------------------------------------------------------ That configuration file is not found in honeypot. -rwxr-xr-x 1 1010 users 18535 Jun 3 2000 ./usr/man/.Ci/fix - fix: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped It probably replaces a file with its trojan version and then modifies the checksum of the trojan so that it ressembles the checksum of the original file. From strings: ------------------------------------------------------------------ ... cp %s %s mv %s %s fix: Can't open %s fix: Last 17 bytes not zero fix: Can't fix checksum fix: No permission to change owner or no such file fix: No permission to change mode or no such file fix: File %s fixed fix: read error on %s fix: Can't read time of day fix: Can't set time of day fix: Can't change modify time Usage: fix original replacement [backup] ... ------------------------------------------------------------------ -rwxr-xr-x 1 1010 users 83 Jun 4 2000 ./usr/man/.Ci/addps - addps: Bourne shell script text Script that appends the process name passed as argument to file /dev/ptyp so that the trojan versions of ps and top do not show them. -rwxr-xr-x 1 1010 users 185988 Jun 3 2000 ./usr/man/.Ci/find - Trojan version of the find command. It would probably hide files named in file "/dev/.oz/r". From strings: ------------------------------------------------------------------ ... /dev/.oz/p ... ------------------------------------------------------------------ That configuration file is not found in honeypot -rwxr-xr-x 1 1010 users 328 Jun 3 2000 ./usr/man/.Ci/do - do: ASCII text It is a shell script that removes any line with the text "own" or "adm1" from /etc/passwd and /etc/shadow. -rwxr-xr-x 1 1010 users 12408 Jun 3 2000 ./usr/man/.Ci/addn - addn: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped This program adds the network address passed to it to the file /usr/libexec/awk/addy.awk so that the trojan version of netstat do not show them. From strings: ------------------------------------------------------------------ ... enter classb to hide in netstat: %d.%d doing it like they do it on the discovery channel echo 1 %d.%d >> /usr/libexec/awk/addy.awk echo 2 %d.%d >> /usr/libexec/awk/addy.awk added %d.%d to the hidden list ... ------------------------------------------------------------------ Note: File /usr/libexec/awk/addy.awk existed in honeypot with the following contents: ------------------------------------------------------------------ ... 1 65.1 2 65.1 1 134518464.134518444 2 134518464.134518444 1 216.149 2 216.149 ... ------------------------------------------------------------------ drwxr-xr-x 2 1010 users 4096 Aug 9 13:35 ./usr/man/.Ci/paki -rwxr-xr-x 1 1010 users 8524 Jun 3 2000 ./usr/man/.Ci/paki/slice2 -rw-r--r-- 1 1010 users 6793 May 15 2000 ./usr/man/.Ci/paki/stream.c - "slice2" is a well known DoS program. Source code can be found at http://www.computec.ch/exploits/dos/?M=A - "stream.c" is another DoS program. See: ftp://ftp.technotronic.com/denial/stream-DoS.txt drwxr-xr-x 6 1010 users 4096 Nov 8 15:56 ./usr/man/.Ci/ drwxr-xr-x 6 1010 users 4096 Nov 8 15:56 ./usr/man/.Ci/ - Here the script shows what seems to be a repetition of the already commented /usr/man/.Ci directory. Actually it is a subdirectory called " " (white space) whose contents are: ------------------------------------------------------------------ ... total 12 drwxr-xr-x 2 1010 users 4096 Jul 7 2000 . drwxr-xr-x 6 1010 users 4096 Nov 8 15:56 .. -rwxr-xr-x 1 1010 users 118 Jul 7 2000 Anap ... ------------------------------------------------------------------ Anap: Bourne shell script text It removes everything under /usr/tmp/nap and creates a brand new empty "/usr/tmp/nap" directory. In honeypot the file exists and it contains the root password of a system (another victim?). See that file later in this analysis. -rwxr-xr-x 1 1010 users 188 Oct 12 00:43 ./usr/man/.Ci/rmS - rmS: Bourne shell script text This is a script that removes the following files/directories: ssh* install* wuftpd.rpm nfs-utils-0.1.9.1-1.i386.rpm It confirms the intruder upgraded nfs-utils (so that the system would not be vulnerable anymore to the method he/she used to get in) and also installed ssh and wuftpd (real or trojan?) -rwxr-xr-x 1 1010 users 1052024 Aug 9 13:19 ./usr/man/.Ci/bx - bx: ELF 32-bit LSB executable, Intel 80386, version 1, dynamically linked (uses shared libs), not stripped "bx" is "BitchX", a text-based UNIX IRC client. See "http://www.bitchx.com" -rwxr-xr-x 1 1010 users 699 Aug 11 19:49 ./usr/man/.Ci/chmod-it - chmod-it: ASCII text It is a script that sets permissions 700 to the following files: ------------------------------------------------------------------ /bin/ping /sbin/dump /sbin/restore /usr/bin/at /usr/bin/chage /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/suidperl /usr/libexec/pt_chown /usr/sbin/traceroute /usr/sbin/userhelper /usr/sbin/usernetctl /usr/X11R6/bin/Xwrapper ------------------------------------------------------------------ -rwxr-xr-x 1 1010 users 156 Aug 22 04:38 ./usr/man/.Ci/needz - needz: Bourne shell script text ------------------------------------------------------------------ #!/bin/sh echo ftp://rpmfind.net/linux/SuSE-Linux/i386/6.3/suse/ap1/pico.rpm echo . echo ftp://ftp.uni-erlangen.de/pub/utilities/screen/screen-3.9.5.tar.gz ------------------------------------------------------------------ Looks like a reminder on where to get pico and screen packages. Did he get them? Don't know yet but if he did get them from those places they would be offcial (not trojan) versions. drwxr-xr-x 2 root root 4096 Nov 8 15:52 ./usr/man/.Ci/backup -r-xr-xr-x 1 root root 60080 Nov 8 15:52 ./usr/man/.Ci/backup/ps -r-xr-xr-x 1 root root 34896 Nov 8 15:52 ./usr/man/.Ci/backup/top -rwxr-xr-x 1 root root 43024 Nov 8 15:52 ./usr/man/.Ci/backup/ls -rwxr-xr-x 1 root root 66736 Nov 8 15:52 ./usr/man/.Ci/backup/netstat -rwxr-xr-x 1 root root 42736 Nov 8 15:52 ./usr/man/.Ci/backup/ifconfig -rwxr-xr-x 1 root root 23568 Nov 8 15:52 ./usr/man/.Ci/backup/tcpd - I like this directory. Our intruder is a tidy fellow. It holds a copy of the original programs that he has replaced with trojans. I've checked the md5sum and they are indeed the originals. All of them have been replaced by trojans in honeypot: - ps - Hides processes listed in /dev/ptyp - top - Hides processes listed in /dev/ptyp - ls - Hides files listed in /usr/man/r - netstat - Hides network connections listed in /usr/libexec/awk/addy.awk - ifconfig - What special 'features' does it offer? - tcpd - Configured in "/usr/man/.a" ; probably doesn't log connections to/from those networks and ports. -rw-r--r-- 1 root root 5 Nov 8 15:52 ./usr/man/.Ci/sniff.pid - A file containing "2485", the PID the sniffer got last time it was launched. -rw-r--r-- 1 root root 0 Nov 8 15:52 ./usr/man/.Ci/tcp.log - Empty file. This should contain the output from the sniffer. Something went wrong? Our intruder didn't configured it properly? Was it emptied later and the timestamp modified? -rw-r--r-- 1 root root 58 Nov 8 15:52 ./usr/man/.p - Configuration file for trojan pstree. The intruder didn't replace pstree for its trojan, though. Interestingly, Red Hat 7.0 shows the following output from the "file" command: ".p: fsav (linux) virus (28275-50)". See http://www.fsecure.com. -rw-r--r-- 1 root root 61 Nov 8 15:52 ./usr/man/r - Configuration file for trojan ls. -rw-r--r-- 1 root root 102 Nov 8 15:52 ./usr/man/.a - Configuration file for trojan tcpd. Red Hat 7.0 shows the following output from the file command: ".a: fsav (linux) virus (13110-50)" -rw-r--r-- 1 root root 0 Nov 8 11:02 ./usr/X11R6/man/whatis - Uninteresting. lrwxrwxrwx 1 root root 13 Nov 5 02:04 ./usr/bin/kbdrate -> consolehelper - Uninteresting. -rwxr-xr-x 1 root root 8024 Aug 30 1999 ./usr/bin/pawd - Command that gets installed with the am-utils package. It prints the automounter working directory. lrwxrwxrwx 1 root root 9 Nov 8 15:52 ./usr/games/.bash_history -> /dev/null - A .bash_history file linked to /dev/null so that no command history is actually kept. But that would be for user "games", did the intruder use that login at some point? What he did was to link all .bash_history file in honeypot to /dev/null, probably "just in case", except the one of user drosen (a mistake?). -rw-r--r-- 1 root root 15625 Aug 30 1999 ./usr/info/am-utils.info-1.gz -rw-r--r-- 1 root root 15324 Aug 30 1999 ./usr/info/am-utils.info-2.gz -rw-r--r-- 1 root root 14152 Aug 30 1999 ./usr/info/am-utils.info-3.gz -rw-r--r-- 1 root root 13984 Aug 30 1999 ./usr/info/am-utils.info-4.gz -rw-r--r-- 1 root root 15354 Aug 30 1999 ./usr/info/am-utils.info-5.gz -rw-r--r-- 1 root root 5011 Aug 30 1999 ./usr/info/am-utils.info-6.gz -rw-r--r-- 1 root root 7086 Aug 30 1999 ./usr/info/am-utils.info-7.gz -rw-r--r-- 1 root root 2954 Aug 30 1999 ./usr/info/am-utils.info.gz - info pages from the automounter package. -rws--x--x 1 root root 604938 Nov 8 15:53 ./usr/local/bin/ssh1 lrwxrwxrwx 1 root root 4 Nov 8 15:53 ./usr/local/bin/ssh -> ssh1 lrwxrwxrwx 1 root root 3 Nov 8 15:53 ./usr/local/bin/slogin -> ssh -rwxr-xr-x 1 root root 327262 Nov 8 15:53 ./usr/local/bin/ssh-keygen1 lrwxrwxrwx 1 root root 11 Nov 8 15:53 ./usr/local/bin/ssh-keygen -> ssh-keygen1 -rwxr-xr-x 1 root root 343586 Nov 8 15:53 ./usr/local/bin/ssh-agent1 lrwxrwxrwx 1 root root 10 Nov 8 15:53 ./usr/local/bin/ssh-agent -> ssh-agent1 -rwxr-xr-x 1 root root 337617 Nov 8 15:53 ./usr/local/bin/ssh-add1 lrwxrwxrwx 1 root root 8 Nov 8 15:53 ./usr/local/bin/ssh-add -> ssh-add1 -rwxr-xr-x 1 root root 90424 Nov 8 15:53 ./usr/local/bin/scp1 lrwxrwxrwx 1 root root 4 Nov 8 15:53 ./usr/local/bin/scp -> scp1 -rwxr-xr-x 1 root root 21228 Nov 8 15:53 ./usr/local/bin/make-ssh-known-hosts1 lrwxrwxrwx 1 root root 21 Nov 8 15:53 ./usr/local/bin/make-ssh-known-hosts -> make-ssh-known-hosts1 -rwxr-xr-x 1 root root 6416 Nov 8 15:54 ./usr/local/bin/addr -rwxr-xr-x 1 root root 271188 Nov 8 15:54 ./usr/local/bin/dig -rwxr-xr-x 1 root root 241744 Nov 8 15:54 ./usr/local/bin/dnsquery -rwxr-xr-x 1 root root 260816 Nov 8 15:54 ./usr/local/bin/host -rwxr-xr-x 1 root root 3296 Nov 8 15:54 ./usr/local/bin/mkservdb -rwxr-xr-x 1 root root 241792 Nov 8 15:54 ./usr/local/bin/nsupdate -rw-r--r-- 1 root root 5824 Nov 8 15:53 ./usr/local/man/man1/ssh-keygen1.1 lrwxrwxrwx 1 root root 13 Nov 8 15:53 ./usr/local/man/man1/ssh-keygen.1 -> ssh-keygen1.1 -rw-r--r-- 1 root root 6265 Nov 8 15:53 ./usr/local/man/man1/ssh-agent1.1 lrwxrwxrwx 1 root root 12 Nov 8 15:53 ./usr/local/man/man1/ssh-agent.1 -> ssh-agent1.1 -rw-r--r-- 1 root root 4007 Nov 8 15:53 ./usr/local/man/man1/ssh-add1.1 lrwxrwxrwx 1 root root 10 Nov 8 15:53 ./usr/local/man/man1/ssh-add.1 -> ssh-add1.1 -rw-r--r-- 1 root root 4892 Nov 8 15:53 ./usr/local/man/man1/scp1.1 lrwxrwxrwx 1 root root 6 Nov 8 15:53 ./usr/local/man/man1/scp.1 -> scp1.1 lrwxrwxrwx 1 root root 6 Nov 8 15:53 ./usr/local/man/man1/slogin1.1 -> ssh1.1 lrwxrwxrwx 1 root root 5 Nov 8 15:53 ./usr/local/man/man1/slogin.1 -> ssh.1 -rw-r--r-- 1 root root 38572 Nov 8 15:53 ./usr/local/man/man1/ssh1.1 lrwxrwxrwx 1 root root 6 Nov 8 15:53 ./usr/local/man/man1/ssh.1 -> ssh1.1 -rw-r--r-- 1 root root 12272 Nov 8 15:53 ./usr/local/man/man1/make-ssh-known-hosts1.1 lrwxrwxrwx 1 root root 23 Nov 8 15:53 ./usr/local/man/man1/make-ssh-known-hosts.1 -> make-ssh-known-hosts1.1 -rw-r--r-- 1 root root 37023 Nov 8 15:53 ./usr/local/man/man8/sshd1.8 lrwxrwxrwx 1 root root 7 Nov 8 15:53 ./usr/local/man/man8/sshd.8 -> sshd1.8 -rwxr-xr-x 1 root root 643674 Nov 8 15:53 ./usr/local/sbin/sshd1 lrwxrwxrwx 1 root root 5 Nov 8 15:53 ./usr/local/sbin/sshd -> sshd1 -rwxr-xr-x 1 root root 263960 Nov 8 15:54 ./usr/local/sbin/irpd -rwxr-xr-x 1 root root 525412 Nov 8 15:54 ./usr/local/sbin/named -rwxr-xr-x 1 root root 7166 Nov 8 15:54 ./usr/local/sbin/named-bootconf -rwxr-xr-x 1 root root 36960 Nov 8 15:54 ./usr/local/sbin/ndc - Binaries and man pages from ssh and BIND which were installed by the intruder. Trojans? Oh yes! From "strings sshd": ------------------------------------------------------------------ ... /usr/tmp/nap ... ------------------------------------------------------------------ Strange name for a file to be used by sshd ;-) This file existed in honeypot and holded a login, password and hostname. I bet it collects that information from every connection it receives. And what about named? Oh yes! From strings: ------------------------------------------------------------------ ... @(#)named 8.2.2-P5 Thu Nov 25 16:18:38 CST 1999 root@zagnut.goobe.net:/dev/.oz/src/bin/named root@zagnut.goobe.net:/dev/.oz/src/bin/named ... ------------------------------------------------------------------ Recall we found a couple of trojans (killall, find) that would look for configuration on files under /dev/.oz. Never the less these two trojans were not installed in honeypot and /dev/.oz does not exist. So? This trojan named was installed but the system wouldn't start it. Did the intruder launch it by hand? What are the special features of this named? Don't know. -rwxr-xr-x 1 root root 106640 Aug 30 1999 ./usr/sbin/amd -rwxr-xr-x 1 root root 13892 Aug 30 1999 ./usr/sbin/amq -rwxr-xr-x 1 root root 1043 Aug 30 1999 ./usr/sbin/am-eject -rwxr-xr-x 1 root root 1392 Aug 30 1999 ./usr/sbin/amd2ldif -rwxr-xr-x 1 root root 1003 Aug 30 1999 ./usr/sbin/amd2sun -rwxr-xr-x 1 root root 2257 Aug 30 1999 ./usr/sbin/automount2amd -rwxr-xr-x 1 root root 2170 Aug 30 1999 ./usr/sbin/ctl-hlfsd -rwxr-xr-x 1 root root 10808 Aug 30 1999 ./usr/sbin/fixmount -rwxr-xr-x 1 root root 404 Aug 30 1999 ./usr/sbin/fixrmtab -rwxr-xr-x 1 root root 1521 Aug 30 1999 ./usr/sbin/fix-amd-map -rwxr-xr-x 1 root root 34784 Aug 30 1999 ./usr/sbin/fsinfo -rwxr-xr-x 1 root root 29656 Aug 30 1999 ./usr/sbin/hlfsd -rwxr-xr-x 1 root root 18412 Aug 30 1999 ./usr/sbin/lostaltmail -rwxr-xr-x 1 root root 7588 Aug 30 1999 ./usr/sbin/mk-amd-map -rwxr-xr-x 1 root root 804 Aug 30 1999 ./usr/sbin/wait4amd -rwxr-xr-x 1 root root 965 Aug 30 1999 ./usr/sbin/wait4amd2die -rwxr-xr-x 1 root root 5140 Aug 30 1999 ./usr/sbin/wire-test - Binaries from automounter package. -rw-r--r-- 1 root root 78 Nov 8 15:55 ./usr/libexec/awk/addy.awk - Configuration file for trojan netstat. See above. drwxr-xr-x 2 root root 12288 Nov 5 01:55 ./var/lost+found - Uninteresting. /var was a mountpoint in honeypot. -rw-r----- 1 root slocate 238767 Nov 8 11:02 ./var/lib/slocate/slocate.db -rw-r--r-- 1 root root 464 Nov 8 11:02 ./var/lib/logrotate.status -rw-r--r-- 1 root root 140 Nov 5 16:33 ./var/log/httpd/error_log -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/log/httpd/access_log -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/kudzu -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/network -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/portmap -rw-r--r-- 1 root root 0 Nov 8 15:54 ./var/lock/subsys/nfslock -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/apmd -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/random -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/netfs -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/syslog -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/identd -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/atd -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/crond -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/inet -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/lpd -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/keytable -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/sendmail -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/gpm -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/httpd -rw-r--r-- 1 root root 0 Nov 5 16:33 ./var/lock/subsys/xfs -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/apmd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/syslogd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/klogd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/identd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/atd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/crond.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/inetd.pid -rw-r--r-- 1 root root 32 Nov 5 16:33 ./var/run/sendmail.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/httpd.pid -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/run/gpm.pid -rw-r--r-- 1 root root 4096 Nov 6 10:00 ./var/run/ftp.pids-all -rw-r--r-- 1 root root 5 Nov 8 15:53 ./var/run/sshd.pid srw------- 1 root root 0 Nov 8 15:54 ./var/run/ndc -rw-r--r-- 1 root root 5 Nov 8 15:54 ./var/run/named.pid -rw------- 1 root root 9 Nov 8 11:02 ./var/spool/anacron/cron.daily - Only the files with timestamp 8 Nov are of interest. Let's see: -rw-r----- 1 root slocate 238767 Nov 8 11:02 ./var/lib/slocate/slocate.db -rw-r--r-- 1 root root 464 Nov 8 11:02 ./var/lib/logrotate.status -rw------- 1 root root 9 Nov 8 11:02 ./var/spool/anacron/cron.daily Uninteresting. Related to logrotate, from cron.daily. -rw-r--r-- 1 root root 0 Nov 8 15:54 ./var/lock/subsys/nfslock -rw-r--r-- 1 root root 5 Nov 8 15:53 ./var/run/sshd.pid srw------- 1 root root 0 Nov 8 15:54 ./var/run/ndc -rw-r--r-- 1 root root 5 Nov 8 15:54 ./var/run/named.pid Our intruder launched the automounter he had just installed, his special sshd ;-) and named and ndc (BIND). So he did run his special named. I'd love to know the special features it hides but I haven't been able to find it yet. -rw-r--r-- 1 root root 184 Nov 8 16:02 ./var/tmp/nap - /var/tmp/nap is the same as /usr/tmp/nap since /usr/tmp is a link to /var/tmp. It is the file used by the trojan sshd. Its contents: +-[ User Login ]-------------------- --- --- - - | username: root password: tw1Lightz0ne hostname: c871553-b.jffsn1.mo.home.com +----------------------------------- ----- --- -- -- - It seems to me that sshd logs this info (username, password, hostname) for every incoming connection. So this would indicate that the intruder logged into honeypot as root from c871553-b.jffsn1.mo.home.com (24.12.200.186) using that password. lrwxrwxrwx 1 root root 9 Nov 8 15:52 ./tmp/.bash_history -> /dev/null - Again a .bash_history file linked to /dev/null srw-rw-rw- 1 root root 0 Nov 5 16:33 ./dev/log lrwxrwxrwx 1 root root 15 Nov 5 01:57 ./dev/fd -> ../proc/self/fd lrwxrwxrwx 1 root root 17 Nov 5 01:57 ./dev/stderr -> ../proc/self/fd/2 lrwxrwxrwx 1 root root 17 Nov 5 01:57 ./dev/stdin -> ../proc/self/fd/0 lrwxrwxrwx 1 root root 17 Nov 5 01:57 ./dev/stdout -> ../proc/self/fd/1 srwxrwxrwx 1 root root 0 Nov 5 16:33 ./dev/gpmctl - Uninteresting -rw-r--r-- 1 1010 users 171 Jun 3 2000 ./dev/ptyp - Configuration file for trojans ps and top. drwxr-xr-x 2 root root 1024 Nov 8 15:52 ./etc/X11/wmconfig -rw-r--r-- 1 root root 114 Aug 18 1999 ./etc/X11/wmconfig/telnet - He did something on this directory. May be copy that "telnet" file into it. This is a text file: ------------------------------------------------------------------ telnet name "telnet" telnet description "Telnet Client" telnet exec "xterm -e telnet &" telnet group "Networking" ------------------------------------------------------------------ What for? I believe this would create a shortcut to executing "xterm -e telnet &" in the Xwindows workspace but the intruder can not use it remotely right? May be it was a coincidence that the sysadmin created that shortcut exactly while the intruder was installing all his stuff %-) lrwxrwxrwx 1 root root 43 Nov 5 02:01 ./etc/rc.d/init.d/linuxconf -> /usr/lib/linuxconf/redhat/scripts/linuxconf -rwxr-xr-x 1 root root 766 Aug 30 1999 ./etc/rc.d/init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc0.d/K00linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc0.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc1.d/K00linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc1.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc2.d/S99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc2.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc3.d/S99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc3.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc4.d/S99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc4.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc5.d/S99linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc5.d/K28amd -> ../init.d/amd lrwxrwxrwx 1 root root 19 Nov 5 02:01 ./etc/rc.d/rc6.d/K00linuxconf -> ../init.d/linuxconf lrwxrwxrwx 1 root root 13 Nov 8 15:52 ./etc/rc.d/rc6.d/K28amd -> ../init.d/amd -rwxr-xr-x 1 root root 56 Aug 30 1999 ./etc/sysconfig/amd -rw------- 1 root root 670 Aug 30 1999 ./etc/amd.conf -rw-r----- 1 root root 105 Aug 30 1999 ./etc/amd.net - More files from the installation of amd. The linuxconf files also exist in fresh62. A bug in my script? Probably. -rw-rw-r-- 1 root root 12288 Nov 8 15:53 ./etc/psdevtab -rw------- 1 root root 537 Nov 8 15:53 ./etc/ssh_host_key -rw-r--r-- 1 root root 341 Nov 8 15:53 ./etc/ssh_host_key.pub -rw-r--r-- 1 root root 880 Nov 8 15:53 ./etc/ssh_config -rw-r--r-- 1 root root 684 Nov 8 15:53 ./etc/sshd_config -rw------- 1 root root 512 Nov 8 16:53 ./etc/ssh_random_seed - More files from the installation and execution of ssh. -rwxr-xr-x 1 root root 1052024 Nov 8 15:52 ./bin/bx - The BitchX irc client. Already analysed. See above. drwxr-xr-x 2 root root 1024 Nov 8 15:53 ./root/.ssh -rw------- 1 root root 512 Nov 8 15:53 ./root/.ssh/random_seed - More files from the execution of ssh. drwxr-xr-x 2 root root 1024 Nov 5 16:37 ./floppy - Empty dir. Probably the sysadmin that installed honeypot did not like the /mnt/floppy mountpoint ;-) lrwxrwxrwx 1 root root 9 Nov 8 15:52 ./.bash_history -> /dev/null - Another .bash_history file linked to /dev/null. See above. drwxr-xr-x 2 root root 1024 Aug 30 1999 ./.automount - Empty dir. Another consequence of the installation of the automounter. ############################################################################################# #### #### #### END OF FILES THAT EXIST IN honeypot AND DO NOT EXIST IN fresh62 #### #### #### ############################################################################################# Now the files that have changed. ############################################################################################# #### #### #### BEGINING OF FILES THAT EXIST BOTH IN honeypot AND fresh62 AND ARE DIFFERENT #### #### #### ############################################################################################# honeypot: -rw-r--r-- 1 root root 202709 Mar 8 2000 ./boot/System.map-2.2.14-5.0 fresh62 : -rw-r--r-- 1 root root 203645 Mar 8 2000 ./boot/System.map-2.2.14-5.0 honeypot: -rwxr-xr-x 1 root root 1638964 Mar 8 2000 ./boot/vmlinux-2.2.14-5.0 fresh62 : -rwxr-xr-x 1 root root 1615706 Mar 8 2000 ./boot/vmlinux-2.2.14-5.0 honeypot: -rw-r--r-- 1 root root 640052 Mar 8 2000 ./boot/vmlinuz-2.2.14-5.0 fresh62 : -rw-r--r-- 1 root root 622249 Mar 8 2000 ./boot/vmlinuz-2.2.14-5.0 honeypot: -rw-r--r-- 1 root root 512 Nov 5 02:05 ./boot/boot.0300 fresh62 : -rw-r--r-- 1 root root 512 Jan 27 02:06 ./boot/boot.0300 honeypot: -rw------- 1 root root 10240 Nov 5 02:05 ./boot/map fresh62 : -rw------- 1 root root 13312 Jan 27 02:06 ./boot/map honeypot: -rw-r--r-- 1 root root 149 Mar 8 2000 ./lib/modules/2.2.14-5.0/.rhkmvtag fresh62 : -rw-r--r-- 1 root root 149 Mar 8 2000 ./lib/modules/2.2.14-5.0/.rhkmvtag honeypot: -rw-r--r-- 1 root root 40056 Mar 8 2000 ./lib/modules/2.2.14-5.0/block/DAC960.o fresh62 : -rw-r--r-- 1 root root 39264 Mar 8 2000 ./lib/modules/2.2.14-5.0/block/DAC960.o ******* REST OF FILES UNDER ./lib/modules/2.2.14-5.0 OMMITED ******* - The kernel (and all of its modules) different from the one in fresh62. It could be simply a different compilation from Red Hat (386,586,686) or it could be that the intruder modified it and disguised the MAC times or it could be that the sysadmin used a special kernel (a instrumentalized one that allows to record some special events?). Will check later if I have the time. honeypot: -rwxr-xr-x 1 root root 12384 Oct 27 1999 ./usr/lib/yp/makedbm fresh62 : -rwxr-xr-x 1 root root 11804 Mar 7 2000 ./usr/lib/yp/makedbm honeypot: -rwxr-xr-x 1 root root 10244 Oct 27 1999 ./usr/lib/yp/mknetid fresh62 : -rwxr-xr-x 1 root root 9584 Mar 7 2000 ./usr/lib/yp/mknetid honeypot: -rwxr-xr-x 1 root root 10004 Oct 27 1999 ./usr/lib/yp/revnetgroup fresh62 : -rwxr-xr-x 1 root root 9260 Mar 7 2000 ./usr/lib/yp/revnetgroup honeypot: -rwxr-xr-x 1 root root 10884 Oct 27 1999 ./usr/lib/yp/yphelper fresh62 : -rwxr-xr-x 1 root root 10224 Mar 7 2000 ./usr/lib/yp/yphelper honeypot: -rwxr-xr-x 1 root root 19272 Oct 27 1999 ./usr/lib/yp/ypxfr fresh62 : -rwxr-xr-x 1 root root 18288 Mar 7 2000 ./usr/lib/yp/ypxfr - The version of the ypserv package is different. Remember: The intruder installed (upgraded/downgraded) the following packages: ------------------------------------------------------------------ Wed 08 Nov 2000 03:52:26 PM CET am-utils-6.0.1s11-1.6.0 Wed 08 Nov 2000 03:52:32 PM CET lpr-0.48-1 Wed 08 Nov 2000 03:52:32 PM CET make-3.77-6 Wed 08 Nov 2000 03:52:33 PM CET screen-3.9.4-3 Wed 08 Nov 2000 03:52:33 PM CET telnet-0.10-29 Wed 08 Nov 2000 03:52:33 PM CET ypserv-1.3.9-1 Wed 08 Nov 2000 03:53:41 PM CET wu-ftpd-2.6.0-14.6x Wed 08 Nov 2000 03:53:49 PM CET nfs-utils-0.1.9.1-1 ------------------------------------------------------------------ honeypot: -rw-r--r-- 1 root root 701 Jun 23 2000 ./usr/man/man1/ftpcount.1.gz fresh62 : -rw-r--r-- 1 root root 701 Feb 28 2000 ./usr/man/man1/ftpcount.1.gz honeypot: -rw-r--r-- 1 root root 702 Jun 23 2000 ./usr/man/man1/ftpwho.1.gz fresh62 : -rw-r--r-- 1 root root 702 Feb 28 2000 ./usr/man/man1/ftpwho.1.gz honeypot: -rw-r--r-- 1 root root 6244 Jul 17 2000 ./usr/man/man5/exports.5.gz fresh62 : -rw-r--r-- 1 root root 5921 Feb 9 2000 ./usr/man/man5/exports.5.gz honeypot: -rw-r--r-- 1 root root 14006 Jun 23 2000 ./usr/man/man5/ftpaccess.5.gz fresh62 : -rw-r--r-- 1 root root 13641 Feb 28 2000 ./usr/man/man5/ftpaccess.5.gz honeypot: -rw-r--r-- 1 root root 857 Jun 23 2000 ./usr/man/man5/ftpconversions.5.gz fresh62 : -rw-r--r-- 1 root root 857 Feb 28 2000 ./usr/man/man5/ftpconversions.5.gz honeypot: -rw-r--r-- 1 root root 815 Jun 23 2000 ./usr/man/man5/ftphosts.5.gz fresh62 : -rw-r--r-- 1 root root 815 Feb 28 2000 ./usr/man/man5/ftphosts.5.gz honeypot: -rw-r--r-- 1 root root 1635 Jun 23 2000 ./usr/man/man5/ftpservers.5.gz fresh62 : -rw-r--r-- 1 root root 1635 Feb 28 2000 ./usr/man/man5/ftpservers.5.gz honeypot: -rw-r--r-- 1 root root 1490 Jun 23 2000 ./usr/man/man5/xferlog.5.gz fresh62 : -rw-r--r-- 1 root root 1490 Feb 28 2000 ./usr/man/man5/xferlog.5.gz honeypot: -rw-r--r-- 1 root root 2224 Jul 17 2000 ./usr/man/man8/exportfs.8.gz fresh62 : -rw-r--r-- 1 root root 2224 Feb 9 2000 ./usr/man/man8/exportfs.8.gz honeypot: -rw-r--r-- 1 root root 1246 Jul 17 2000 ./usr/man/man8/mountd.8.gz fresh62 : -rw-r--r-- 1 root root 1246 Feb 9 2000 ./usr/man/man8/mountd.8.gz honeypot: -rw-r--r-- 1 root root 702 Jul 17 2000 ./usr/man/man8/nfsd.8.gz fresh62 : -rw-r--r-- 1 root root 702 Feb 9 2000 ./usr/man/man8/nfsd.8.gz honeypot: -rw-r--r-- 1 root root 788 Jul 17 2000 ./usr/man/man8/nfsstat.8.gz fresh62 : -rw-r--r-- 1 root root 788 Feb 9 2000 ./usr/man/man8/nfsstat.8.gz honeypot: -rw-r--r-- 1 root root 476 Jul 17 2000 ./usr/man/man8/rquotad.8.gz fresh62 : -rw-r--r-- 1 root root 476 Feb 9 2000 ./usr/man/man8/rquotad.8.gz honeypot: -rw-r--r-- 1 root root 805 Jul 17 2000 ./usr/man/man8/showmount.8.gz fresh62 : -rw-r--r-- 1 root root 805 Feb 9 2000 ./usr/man/man8/showmount.8.gz honeypot: -rw-r--r-- 1 root root 718 Jul 17 2000 ./usr/man/man8/statd.8.gz fresh62 : -rw-r--r-- 1 root root 718 Feb 9 2000 ./usr/man/man8/statd.8.gz honeypot: -rw-r--r-- 1 root root 5272 Jun 23 2000 ./usr/man/man8/ftpd.8.gz fresh62 : -rw-r--r-- 1 root root 5272 Feb 28 2000 ./usr/man/man8/ftpd.8.gz honeypot: -rw-r--r-- 1 root root 846 Jun 23 2000 ./usr/man/man8/ftprestart.8.gz fresh62 : -rw-r--r-- 1 root root 846 Feb 28 2000 ./usr/man/man8/ftprestart.8.gz honeypot: -rw-r--r-- 1 root root 1583 Jun 23 2000 ./usr/man/man8/ftpshut.8.gz fresh62 : -rw-r--r-- 1 root root 1583 Feb 28 2000 ./usr/man/man8/ftpshut.8.gz honeypot: -rw-r--r-- 1 root root 1350 Jun 23 2000 ./usr/man/man8/privatepw.8.gz fresh62 : -rw-r--r-- 1 root root 1350 Feb 28 2000 ./usr/man/man8/privatepw.8.gz honeypot: -r-sr-sr-x 1 root lp 15816 Jan 6 2000 ./usr/bin/lpq fresh62 : -r-sr-sr-x 1 root lp 16872 Feb 14 2000 ./usr/bin/lpq honeypot: -r-sr-sr-x 1 root lp 15608 Jan 6 2000 ./usr/bin/lpr fresh62 : -r-sr-sr-x 1 root lp 18568 Feb 14 2000 ./usr/bin/lpr honeypot: -r-sr-sr-x 1 root lp 16248 Jan 6 2000 ./usr/bin/lprm fresh62 : -r-sr-sr-x 1 root lp 17208 Feb 14 2000 ./usr/bin/lprm honeypot: -rwxr-xr-x 1 root root 3656 Jan 6 2000 ./usr/bin/lptest fresh62 : -rwxr-xr-x 1 root root 3148 Feb 14 2000 ./usr/bin/lptest honeypot: -rwxr-xr-x 1 root root 104316 Apr 15 1999 ./usr/bin/make fresh62 : -rwxr-xr-x 1 root root 111472 Feb 24 2000 ./usr/bin/make honeypot: -rwxr-xr-x 1 root root 236468 Oct 20 1999 ./usr/bin/screen fresh62 : -rwxr-xr-x 1 root root 237108 Mar 7 2000 ./usr/bin/screen honeypot: -rwxr-xr-x 1 root root 64608 Aug 18 1999 ./usr/bin/telnet fresh62 : -rwxr-xr-x 1 root root 63216 Mar 7 2000 ./usr/bin/telnet honeypot: -rwxr-xr-x 1 bin bin 8928 Jun 23 2000 ./usr/bin/ftpcount fresh62 : -rwxr-xr-x 1 root root 8928 Feb 28 2000 ./usr/bin/ftpcount honeypot: -rwxr-xr-x 1 bin bin 8928 Jun 23 2000 ./usr/bin/ftpwho fresh62 : -rwxr-xr-x 1 root root 8928 Feb 28 2000 ./usr/bin/ftpwho honeypot: -rw-r--r-- 1 root root 14727 Apr 15 1999 ./usr/info/make.info-1.gz fresh62 : -rw-r--r-- 1 root root 14293 Feb 24 2000 ./usr/info/make.info-1.gz honeypot: -rw-r--r-- 1 root root 1928 Apr 15 1999 ./usr/info/make.info-10.gz fresh62 : -rw-r--r-- 1 root root 2021 Feb 24 2000 ./usr/info/make.info-10.gz honeypot: -rw-r--r-- 1 root root 15693 Apr 15 1999 ./usr/info/make.info-2.gz fresh62 : -rw-r--r-- 1 root root 15886 Feb 24 2000 ./usr/info/make.info-2.gz honeypot: -rw-r--r-- 1 root root 15515 Apr 15 1999 ./usr/info/make.info-3.gz fresh62 : -rw-r--r-- 1 root root 15639 Feb 24 2000 ./usr/info/make.info-3.gz honeypot: -rw-r--r-- 1 root root 15275 Apr 15 1999 ./usr/info/make.info-4.gz fresh62 : -rw-r--r-- 1 root root 15336 Feb 24 2000 ./usr/info/make.info-4.gz honeypot: -rw-r--r-- 1 root root 15324 Apr 15 1999 ./usr/info/make.info-5.gz fresh62 : -rw-r--r-- 1 root root 15838 Feb 24 2000 ./usr/info/make.info-5.gz honeypot: -rw-r--r-- 1 root root 15459 Apr 15 1999 ./usr/info/make.info-6.gz fresh62 : -rw-r--r-- 1 root root 15486 Feb 24 2000 ./usr/info/make.info-6.gz honeypot: -rw-r--r-- 1 root root 14989 Apr 15 1999 ./usr/info/make.info-7.gz fresh62 : -rw-r--r-- 1 root root 15467 Feb 24 2000 ./usr/info/make.info-7.gz honeypot: -rw-r--r-- 1 root root 5385 Apr 15 1999 ./usr/info/make.info-8.gz fresh62 : -rw-r--r-- 1 root root 10060 Feb 24 2000 ./usr/info/make.info-8.gz honeypot: -rw-r--r-- 1 root root 7253 Apr 15 1999 ./usr/info/make.info-9.gz fresh62 : -rw-r--r-- 1 root root 7539 Feb 24 2000 ./usr/info/make.info-9.gz honeypot: -rw-r--r-- 1 root root 2111 Apr 15 1999 ./usr/info/make.info.gz fresh62 : -rw-r--r-- 1 root root 2165 Feb 24 2000 ./usr/info/make.info.gz honeypot: -rw-r--r-- 1 root root 16094 Oct 20 1999 ./usr/info/screen.info-1.gz fresh62 : -rw-r--r-- 1 root root 16081 Mar 7 2000 ./usr/info/screen.info-1.gz honeypot: -rw-r--r-- 1 root root 15113 Oct 20 1999 ./usr/info/screen.info-2.gz fresh62 : -rw-r--r-- 1 root root 15105 Mar 7 2000 ./usr/info/screen.info-2.gz honeypot: -rw-r--r-- 1 root root 16847 Oct 20 1999 ./usr/info/screen.info-3.gz fresh62 : -rw-r--r-- 1 root root 16839 Mar 7 2000 ./usr/info/screen.info-3.gz honeypot: -rw-r--r-- 1 root root 12505 Oct 20 1999 ./usr/info/screen.info-4.gz fresh62 : -rw-r--r-- 1 root root 12493 Mar 7 2000 ./usr/info/screen.info-4.gz honeypot: -rw-r--r-- 1 root root 1978 Oct 20 1999 ./usr/info/screen.info.gz fresh62 : -rw-r--r-- 1 root root 1981 Mar 7 2000 ./usr/info/screen.info.gz - So far all differences are explained by the package installation carried out by the intruder. honeypot: -rwxr-xr-x 1 root root 525412 Nov 8 15:54 ./usr/sbin/named fresh62 : -rwxr-xr-x 1 root root 511440 Feb 28 2000 ./usr/sbin/named - Trojan version of named. Already spotted in the "honeypot-only" section. Don't know about its special features :-( honeypot: -rwxr-sr-x 1 root lp 24104 Jan 6 2000 ./usr/sbin/lpc fresh62 : -rwxr-sr-x 1 root lp 25064 Feb 14 2000 ./usr/sbin/lpc honeypot: -rwxr--r-- 1 root root 51740 Jan 6 2000 ./usr/sbin/lpd fresh62 : -rwxr--r-- 1 root root 51696 Feb 14 2000 ./usr/sbin/lpd honeypot: -rwxr-xr-x 1 root root 5140 Jan 6 2000 ./usr/sbin/lpf fresh62 : -rwxr-xr-x 1 root root 4624 Feb 14 2000 ./usr/sbin/lpf honeypot: -rwxr--r-- 1 root root 9412 Jan 6 2000 ./usr/sbin/pac fresh62 : -rwxr--r-- 1 root root 8816 Feb 14 2000 ./usr/sbin/pac - From lpr package. honeypot: -rwxr-xr-x 1 root root 25232 Jul 17 2000 ./usr/sbin/exportfs fresh62 : -rwxr-xr-x 1 root root 24592 Feb 9 2000 ./usr/sbin/exportfs honeypot: -rwxr-xr-x 1 root root 9104 Jul 17 2000 ./usr/sbin/showmount fresh62 : -rwxr-xr-x 1 root root 9104 Feb 9 2000 ./usr/sbin/showmount - From nfs-utils package. honeypot: -rwxr-xr-x 1 root root 49860 Feb 22 2000 ./usr/sbin/in.identd fresh62 : lrwxrwxrwx 1 root root 6 Jan 27 02:05 ./usr/sbin/in.identd -> identd - A trojan? Don't know :-( honeypot: -rwxr-xr-x 1 root root 35628 Aug 18 1999 ./usr/sbin/in.telnetd fresh62 : -rwxr-xr-x 1 root root 31376 Mar 7 2000 ./usr/sbin/in.telnetd - Package telnet. honeypot: -rwxr-xr-x 1 bin bin 7792 Jun 23 2000 ./usr/sbin/ckconfig fresh62 : -rwxr-xr-x 1 root root 7792 Feb 28 2000 ./usr/sbin/ckconfig honeypot: -rwxr-xr-x 1 bin bin 8112 Jun 23 2000 ./usr/sbin/ftprestart fresh62 : -rwxr-xr-x 1 root root 8112 Feb 28 2000 ./usr/sbin/ftprestart honeypot: -rwxr-xr-x 1 bin bin 10800 Jun 23 2000 ./usr/sbin/ftpshut fresh62 : -rwxr-xr-x 1 root root 10800 Feb 28 2000 ./usr/sbin/ftpshut honeypot: -rwxr-xr-x 1 bin bin 162608 Jun 23 2000 ./usr/sbin/in.ftpd fresh62 : -rwxr-xr-x 1 root root 153488 Feb 28 2000 ./usr/sbin/in.ftpd honeypot: -rwxr-xr-x 1 bin bin 10448 Jun 23 2000 ./usr/sbin/privatepw fresh62 : -rwxr-xr-x 1 root root 10448 Feb 28 2000 ./usr/sbin/privatepw - Package wu-ftpd. honeypot: -rwxr-xr-x 1 root root 14520 Oct 27 1999 ./usr/sbin/yppush fresh62 : -rwxr-xr-x 1 root root 13776 Mar 7 2000 ./usr/sbin/yppush honeypot: -rwxr-xr-x 1 root root 18448 Oct 27 1999 ./usr/sbin/rpc.yppasswdd fresh62 : -rwxr-xr-x 1 root root 17624 Mar 7 2000 ./usr/sbin/rpc.yppasswdd honeypot: -rwxr-xr-x 1 root root 25212 Oct 27 1999 ./usr/sbin/rpc.ypxfrd fresh62 : -rwxr-xr-x 1 root root 23984 Mar 7 2000 ./usr/sbin/rpc.ypxfrd honeypot: -rwxr-xr-x 1 root root 40476 Oct 27 1999 ./usr/sbin/ypserv fresh62 : -rwxr-xr-x 1 root root 39248 Mar 7 2000 ./usr/sbin/ypserv - Package ypserv. honeypot: -rwxr-xr-x 1 root root 36784 Jul 17 2000 ./usr/sbin/rpc.mountd fresh62 : -rwxr-xr-x 1 root root 35952 Feb 9 2000 ./usr/sbin/rpc.mountd honeypot: -rwxr-xr-x 1 root root 9872 Jul 17 2000 ./usr/sbin/rpc.rquotad fresh62 : -rwxr-xr-x 1 root root 9840 Feb 9 2000 ./usr/sbin/rpc.rquotad honeypot: -rwxr-xr-x 1 root root 19888 Jul 17 2000 ./sbin/rpc.statd fresh62 : -rwxr-xr-x 1 root root 19856 Feb 9 2000 ./sbin/rpc.statd - Package nfs-utils. honeypot: -rw-r--r-- 1 root root 4173832 Nov 8 15:53 ./var/lib/rpm/packages.rpm fresh62 : -rw-r--r-- 1 root root 4137544 Jan 27 02:06 ./var/lib/rpm/packages.rpm honeypot: -rw-r--r-- 1 root root 16384 Nov 8 15:53 ./var/lib/rpm/nameindex.rpm fresh62 : -rw-r--r-- 1 root root 16384 Jan 27 02:06 ./var/lib/rpm/nameindex.rpm honeypot: -rw-r--r-- 1 root root 1343488 Nov 8 15:53 ./var/lib/rpm/fileindex.rpm fresh62 : -rw-r--r-- 1 root root 1343488 Jan 27 02:06 ./var/lib/rpm/fileindex.rpm honeypot: -rw-r--r-- 1 root root 49152 Nov 8 15:53 ./var/lib/rpm/providesindex.rpm fresh62 : -rw-r--r-- 1 root root 49152 Jan 27 02:06 ./var/lib/rpm/providesindex.rpm honeypot: -rw-r--r-- 1 root root 49152 Nov 8 15:53 ./var/lib/rpm/requiredby.rpm fresh62 : -rw-r--r-- 1 root root 49152 Jan 27 02:06 ./var/lib/rpm/requiredby.rpm honeypot: -rw-r--r-- 1 root root 16384 Nov 8 15:53 ./var/lib/rpm/conflictsindex.rpm fresh62 : -rw-r--r-- 1 root root 16384 Jan 27 02:06 ./var/lib/rpm/conflictsindex.rpm honeypot: -rw-r--r-- 1 root root 16384 Nov 8 15:53 ./var/lib/rpm/groupindex.rpm fresh62 : -rw-r--r-- 1 root root 16384 Jan 27 02:06 ./var/lib/rpm/groupindex.rpm honeypot: -rw-r--r-- 1 root root 16384 Nov 8 15:53 ./var/lib/rpm/triggerindex.rpm fresh62 : -rw-r--r-- 1 root root 16384 Jan 27 02:06 ./var/lib/rpm/triggerindex.rpm - These files had to be different since packages were installed by the intruder. honeypot: -rw-r--r-- 1 root root 1460292 Nov 9 03:37 ./var/log/lastlog fresh62 : -rw-r--r-- 1 root root 146292 Jan 27 10:31 ./var/log/lastlog honeypot: -rw-r--r-- 1 root root 768 Nov 9 03:37 ./var/log/wtmp fresh62 : -rw-rw-r-- 1 root utmp 26880 Jan 27 11:05 ./var/log/wtmp honeypot: -rw-r--r-- 1 root root 7974 Nov 8 15:56 ./var/log/messages fresh62 : -rw------- 1 root root 22392 Jan 27 11:05 ./var/log/messages honeypot: -rw-r--r-- 1 root root 268 Nov 8 15:56 ./var/log/secure fresh62 : -rw------- 1 root root 100 Jan 27 10:31 ./var/log/secure honeypot: -rw------- 1 root root 266 Nov 5 16:33 ./var/log/maillog fresh62 : -rw------- 1 root root 538 Jan 27 10:31 ./var/log/maillog honeypot: -rw-r--r-- 1 root root 2747 Nov 5 16:33 ./var/log/dmesg fresh62 : -rw-r--r-- 1 root root 3059 Jan 27 10:31 ./var/log/dmesg honeypot: -rw-r--r-- 1 root root 999 Nov 5 16:33 ./var/log/boot.log fresh62 : -rw-r--r-- 1 root root 6885 Jan 27 11:05 ./var/log/boot.log honeypot: -rw------- 1 root root 31607 Nov 9 05:10 ./var/log/cron fresh62 : -rw------- 1 root root 869 Jan 27 11:01 ./var/log/cron honeypot: -rw-rw-r-- 1 root utmp 4992 Nov 9 03:37 ./var/run/utmp fresh62 : -rw-rw-r-- 1 root utmp 4608 Jan 27 11:05 ./var/run/utmp honeypot: -rw------- 1 root root 512 Nov 5 16:33 ./var/run/random-seed fresh62 : -rw------- 1 root root 512 Jan 27 11:05 ./var/run/random-seed honeypot: -rw-r--r-- 1 root root 4 Nov 5 16:33 ./var/spool/lpd/lpd.lock fresh62 : -rw-r--r-- 1 root root 4 Jan 27 10:31 ./var/spool/lpd/lpd.lock - Obviously log files had to be different. honeypot logs were 'cleaned' by the intruder so there's not much that can be obtained from them. honeypot: -rw-r--r-- 1 root root 5684 Nov 5 02:04 ./tmp/install.log fresh62 : -rw-r--r-- 1 root root 5684 Jan 27 02:06 ./tmp/install.log - Uninteresing. honeypot: -rw-r--r-- 1 root root 16 Nov 5 16:33 ./var/run/runlevel.dir fresh62 : -rw-r--r-- 1 root root 16 Jan 27 11:05 ./var/run/runlevel.dir - honeypot: /etc/rc.d/rc3.d fresh62: /etc/rc.d/rc6.d Uninteresting. honeypot: srwxrwxrwx 1 xfs xfs 0 Nov 5 16:33 ./tmp/.font-unix/fs-1 fresh62 : srwxrwxrwx 1 xfs xfs 0 Jan 27 10:31 ./tmp/.font-unix/fs-1 honeypot: prw------- 1 root root 0 Mar 7 2000 ./dev/initctl fresh62 : prw------- 1 root root 0 Jan 27 11:05 ./dev/initctl honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/fb -> fb0 fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/fb -> fb0 honeypot: lrwxrwxrwx 1 root root 4 Nov 5 01:57 ./dev/ftape -> rft0 fresh62 : lrwxrwxrwx 1 root root 4 Jan 27 02:02 ./dev/ftape -> rft0 honeypot: lrwxrwxrwx 1 root root 9 Nov 5 01:57 ./dev/isdnctrl -> isdnctrl0 fresh62 : lrwxrwxrwx 1 root root 9 Jan 27 02:02 ./dev/isdnctrl -> isdnctrl0 honeypot: lrwxrwxrwx 1 root root 5 Nov 5 01:57 ./dev/nftape -> nrft0 fresh62 : lrwxrwxrwx 1 root root 5 Jan 27 02:02 ./dev/nftape -> nrft0 honeypot: lrwxrwxrwx 1 root root 6 Nov 5 01:57 ./dev/radio -> radio0 fresh62 : lrwxrwxrwx 1 root root 6 Jan 27 02:02 ./dev/radio -> radio0 honeypot: lrwxrwxrwx 1 root root 4 Nov 5 01:57 ./dev/ramdisk -> ram0 fresh62 : lrwxrwxrwx 1 root root 4 Jan 27 02:02 ./dev/ramdisk -> ram0 honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg0 -> sga fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg0 -> sga honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg1 -> sgb fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg1 -> sgb honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg2 -> sgc fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg2 -> sgc honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg3 -> sgd fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg3 -> sgd honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg4 -> sge fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg4 -> sge honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg5 -> sgf fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg5 -> sgf honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg6 -> sgg fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg6 -> sgg honeypot: lrwxrwxrwx 1 root root 3 Nov 5 01:57 ./dev/sg7 -> sgh fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:02 ./dev/sg7 -> sgh honeypot: lrwxrwxrwx 1 root root 4 Nov 5 01:57 ./dev/vbi -> vbi0 fresh62 : lrwxrwxrwx 1 root root 4 Jan 27 02:02 ./dev/vbi -> vbi0 honeypot: lrwxrwxrwx 1 root root 6 Nov 5 01:57 ./dev/video -> video0 fresh62 : lrwxrwxrwx 1 root root 6 Jan 27 02:02 ./dev/video -> video0 honeypot: lrwxrwxrwx 1 root root 4 Nov 5 01:57 ./dev/vtx -> vtx0 fresh62 : lrwxrwxrwx 1 root root 4 Jan 27 02:02 ./dev/vtx -> vtx0 honeypot: lrwxrwxrwx 1 root root 9 Nov 5 01:57 ./dev/winradio -> winradio0 fresh62 : lrwxrwxrwx 1 root root 9 Jan 27 02:02 ./dev/winradio -> winradio0 honeypot: lrwxrwxrwx 1 root root 3 Nov 5 02:04 ./dev/cdrom -> hdc fresh62 : lrwxrwxrwx 1 root root 3 Jan 27 02:06 ./dev/cdrom -> hdc honeypot: lrwxrwxrwx 1 root root 5 Nov 5 02:04 ./dev/mouse -> psaux fresh62 : lrwxrwxrwx 1 root root 5 Jan 27 02:06 ./dev/mouse -> psaux - Uninteresting. The only difference is the timestamp. honeypot: -rw-r--r-- 1 root root 460 Nov 5 02:05 ./etc/group fresh62 : -rw-r--r-- 1 root root 459 Jan 27 02:06 ./etc/group honeypot: -rw-r--r-- 1 root root 0 Nov 8 15:26 ./etc/hosts.deny fresh62 : -rw-r--r-- 1 root root 347 Jan 13 2000 ./etc/hosts.deny honeypot: -rw-r--r-- 1 root root 657 Nov 8 15:55 ./etc/passwd fresh62 : -rw-r--r-- 1 root root 711 Jan 27 02:06 ./etc/passwd honeypot: -rw-r--r-- 1 root root 16076 Nov 5 02:05 ./etc/X11/XF86Config fresh62 : -rw-r--r-- 1 root root 15914 Jan 27 02:06 ./etc/X11/XF86Config honeypot: -rw-r--r-- 1 root root 1262 Nov 5 02:05 ./etc/localtime fresh62 : -rw-r--r-- 1 root root 946 Jan 27 02:06 ./etc/localtime honeypot: -rw-r--r-- 1 root root 12333 Nov 8 15:52 ./etc/ld.so.cache fresh62 : -rw-r--r-- 1 root root 12210 Jan 27 02:06 ./etc/ld.so.cache honeypot: -rw-r--r-- 1 root root 13281 Nov 8 15:52 ./etc/info-dir fresh62 : -rw-r--r-- 1 root root 13187 Jan 27 02:06 ./etc/info-dir - Uninteresting. I've seen the differences and can't find anything interesting in them. honeypot: -rwxr-xr-x 1 root root 955 Nov 8 15:53 ./etc/rc.d/rc.local fresh62 : -rwxr-xr-x 1 root root 933 Sep 30 1999 ./etc/rc.d/rc.local - The intruder added the following line: "/usr/local/sbin/sshd1" so that its private sshd would run even it the system was rebooted. honeypot: -rw-r--r-- 1 root root 702 Nov 5 02:05 ./etc/passwd- fresh62 : -rw-r--r-- 1 root root 711 Jan 27 02:06 ./etc/passwd- honeypot: -rw-r--r-- 1 root root 124 Nov 5 17:52 ./etc/sysconfig/network-scripts/ifcfg-eth0 fresh62 : -rw-r--r-- 1 root root 125 Jan 27 02:06 ./etc/sysconfig/network-scripts/ifcfg-eth0 honeypot: -rw-r--r-- 1 root root 32 Nov 5 02:04 ./etc/sysconfig/keyboard fresh62 : -rw-r--r-- 1 root root 32 Jan 27 02:06 ./etc/sysconfig/keyboard honeypot: -rw-r--r-- 1 root root 63 Nov 5 02:05 ./etc/sysconfig/network fresh62 : -rw-r--r-- 1 root root 32 Jan 27 02:06 ./etc/sysconfig/network honeypot: -rw-r--r-- 1 root root 43 Nov 5 02:05 ./etc/sysconfig/clock fresh62 : -rw-r--r-- 1 root root 41 Jan 27 02:06 ./etc/sysconfig/clock honeypot: -rw-r--r-- 1 root root 1291 Nov 5 16:33 ./etc/sysconfig/hwconf fresh62 : -rw-r--r-- 1 root root 2015 Jan 27 10:31 ./etc/sysconfig/hwconf honeypot: -rw-r--r-- 1 root root 43 Nov 5 02:05 ./etc/resolv.conf fresh62 : -rw-r--r-- 1 root root 0 Jan 27 02:06 ./etc/resolv.conf honeypot: -rw-r--r-- 1 root root 4096 Nov 5 16:33 ./etc/mail/virtusertable.db fresh62 : -rw-r--r-- 1 root root 4096 Jan 27 10:31 ./etc/mail/virtusertable.db honeypot: -rw-r--r-- 1 root root 20480 Nov 5 16:33 ./etc/mail/access.db fresh62 : -rw-r--r-- 1 root root 20480 Jan 27 10:31 ./etc/mail/access.db honeypot: -rw-r--r-- 1 root root 4096 Nov 5 16:33 ./etc/mail/domaintable.db fresh62 : -rw-r--r-- 1 root root 4096 Jan 27 10:31 ./etc/mail/domaintable.db honeypot: -rw-r--r-- 1 root root 4096 Nov 5 16:33 ./etc/mail/mailertable.db fresh62 : -rw-r--r-- 1 root root 4096 Jan 27 10:31 ./etc/mail/mailertable.db honeypot: -rw-r--r-- 1 root root 20480 Nov 5 16:33 ./etc/aliases.db fresh62 : -rw-r--r-- 1 root root 20480 Jan 27 10:31 ./etc/aliases.db honeypot: -rw-r--r-- 1 root root 760 Nov 5 02:04 ./etc/fstab fresh62 : -rw-r--r-- 1 root root 686 Jan 27 09:48 ./etc/fstab honeypot: -rw-r--r-- 1 root root 248 Nov 9 04:10 ./etc/mtab fresh62 : -rw-r--r-- 1 root root 47 Jan 27 11:05 ./etc/mtab honeypot: -rw-r--r-- 1 root root 68 Nov 5 02:05 ./etc/hosts fresh62 : -rw-r--r-- 1 root root 51 Jan 27 02:06 ./etc/hosts honeypot: -r-------- 1 root root 586 Nov 5 02:05 ./etc/shadow- fresh62 : -r-------- 1 root root 585 Jan 27 02:06 ./etc/shadow- honeypot: -rw-r--r-- 1 root root 51 Nov 5 02:05 ./etc/conf.modules fresh62 : -rw-r--r-- 1 root root 81 Jan 27 02:06 ./etc/conf.modules honeypot: -rw-r--r-- 1 root root 601 Nov 8 15:55 ./etc/shadow fresh62 : -r-------- 1 root root 630 Jan 27 02:06 ./etc/shadow honeypot: -r-------- 1 root root 383 Nov 5 02:05 ./etc/gshadow fresh62 : -r-------- 1 root root 382 Jan 27 02:06 ./etc/gshadow honeypot: -rw-r--r-- 1 root root 702 Nov 5 02:05 ./etc/passwd.OLD fresh62 : -rw-r--r-- 1 root root 700 Jan 27 02:06 ./etc/passwd.OLD honeypot: -rw-r--r-- 1 root root 160 Nov 5 02:05 ./etc/lilo.conf fresh62 : -rw-r--r-- 1 root root 188 Jan 27 02:06 ./etc/lilo.conf honeypot: -rw-r--r-- 1 root root 18 Nov 5 16:33 ./etc/HOSTNAME fresh62 : -rw-r--r-- 1 root root 8 Jan 27 10:31 ./etc/HOSTNAME honeypot: -rw-r--r-- 1 root root 64 Nov 5 16:33 ./etc/issue fresh62 : -rw-r--r-- 1 root root 64 Jan 27 10:31 ./etc/issue honeypot: -rw-r--r-- 1 root root 63 Nov 5 16:33 ./etc/issue.net fresh62 : -rw-r--r-- 1 root root 63 Jan 27 10:31 ./etc/issue.net - Uninteresting. honeypot: -r-xr-xr-x 1 root root 60926 Mar 7 2000 ./usr/bin/top fresh62 : -r-xr-xr-x 1 root root 34896 Mar 7 2000 ./usr/bin/top honeypot: -rwxr-xr-x 1 root root 137567 Mar 8 2000 ./bin/ls fresh62 : -rwxr-xr-x 1 root root 43024 Mar 8 2000 ./bin/ls honeypot: -rwxr-xr-x 1 root root 32816 Mar 7 2000 ./bin/netstat fresh62 : -rwxr-xr-x 1 root root 66736 Mar 7 2000 ./bin/netstat honeypot: -r-xr-xr-x 1 root root 39423 Mar 7 2000 ./bin/ps fresh62 : -r-xr-xr-x 1 root root 60080 Mar 7 2000 ./bin/ps honeypot: -rwxr-xr-x 1 root root 19840 Mar 7 2000 ./sbin/ifconfig fresh62 : -rwxr-xr-x 1 root root 42736 Mar 7 2000 ./sbin/ifconfig honeypot: -rwxr-xr-x 1 root root 31625 Feb 7 2000 ./usr/sbin/tcpd fresh62 : -rwxr-xr-x 1 root root 23568 Feb 7 2000 ./usr/sbin/tcpd - These 6 trojans have already been commented in the "honeypot-only" section. honeypot: lrwxrwxrwx 1 root root 9 Nov 8 15:52 ./root/.bash_history -> /dev/null fresh62 : -rw------- 1 root root 939 Jan 27 11:05 ./root/.bash_history - Another .bash_history linked to /dev/null ############################################################################################# #### #### #### END OF FILES THAT EXIST BOTH IN honeypot AND fresh62 AND ARE DIFFERENT #### #### #### ############################################################################################# Finally, the files that exist in our fresh62 and not in honeypot. Nothing interesing here. ----------------------------------------------------- ./var/catman/cat1/gunzip.1.gz ./var/catman/cat8/swapon.8.gz ./var/catman/cat8/mount.8.gz ./dev/fd ./dev/stderr ./dev/stdin ./dev/stdout ./usr/doc/make-3.78.1 ./usr/doc/make-3.78.1/NEWS ./usr/doc/make-3.78.1/README ./usr/doc/nfs-utils-0.1.6 ./usr/doc/nfs-utils-0.1.6/ChangeLog ./usr/doc/nfs-utils-0.1.6/INSTALL ./usr/doc/nfs-utils-0.1.6/KNOWNBUGS ./usr/doc/nfs-utils-0.1.6/NEW ./usr/doc/nfs-utils-0.1.6/README ./usr/doc/nfs-utils-0.1.6/THANKS ./usr/doc/nfs-utils-0.1.6/TODO ./usr/doc/nfs-utils-0.1.6/index.html ./usr/doc/nfs-utils-0.1.6/nfs.html ./usr/doc/nfs-utils-0.1.6/nfs.ps ./usr/doc/nfs-utils-0.1.6/node1.html ./usr/doc/nfs-utils-0.1.6/node10.html ./usr/doc/nfs-utils-0.1.6/node11.html ./usr/doc/nfs-utils-0.1.6/node12.html ./usr/doc/nfs-utils-0.1.6/node13.html ./usr/doc/nfs-utils-0.1.6/node14.html ./usr/doc/nfs-utils-0.1.6/node15.html ./usr/doc/nfs-utils-0.1.6/node16.html ./usr/doc/nfs-utils-0.1.6/node17.html ./usr/doc/nfs-utils-0.1.6/node18.html ./usr/doc/nfs-utils-0.1.6/node19.html ./usr/doc/nfs-utils-0.1.6/node2.html ./usr/doc/nfs-utils-0.1.6/node20.html ./usr/doc/nfs-utils-0.1.6/node21.html ./usr/doc/nfs-utils-0.1.6/node22.html ./usr/doc/nfs-utils-0.1.6/node23.html ./usr/doc/nfs-utils-0.1.6/node24.html ./usr/doc/nfs-utils-0.1.6/node25.html ./usr/doc/nfs-utils-0.1.6/node26.html ./usr/doc/nfs-utils-0.1.6/node27.html ./usr/doc/nfs-utils-0.1.6/node3.html ./usr/doc/nfs-utils-0.1.6/node4.html ./usr/doc/nfs-utils-0.1.6/node5.html ./usr/doc/nfs-utils-0.1.6/node6.html ./usr/doc/nfs-utils-0.1.6/node7.html ./usr/doc/nfs-utils-0.1.6/node8.html ./usr/doc/nfs-utils-0.1.6/node9.html ./usr/doc/screen-3.9.5 ./usr/doc/screen-3.9.5/FAQ ./usr/doc/screen-3.9.5/NEWS ./usr/doc/screen-3.9.5/README ./usr/doc/screen-3.9.5/README.DOTSCREEN ./usr/lib/groff/tmac/tmac.gmse ./usr/lib/libgif.so ./usr/lib/libungif.so ./usr/man/man1/lpq.1.gz ./usr/man/man1/lpr.1.gz ./usr/man/man1/lprm.1.gz ./usr/man/man1/lptest.1.gz ./usr/man/man1/make.1.gz ./usr/man/man1/screen.1.gz ./usr/man/man1/telnet.1.gz ./usr/man/man5/printcap.5.gz ./usr/man/man5/netgroup.5.gz ./usr/man/man5/ypserv.conf.5.gz ./usr/man/man8/lpc.8.gz ./usr/man/man8/lpd.8.gz ./usr/man/man8/pac.8.gz ./usr/man/man8/makedbm.8.gz ./usr/man/man8/mknetid.8.gz ./usr/man/man8/pwupdate.8.gz ./usr/man/man8/revnetgroup.8.gz ./usr/man/man8/rpc.yppasswdd.8.gz ./usr/man/man8/rpc.ypxfrd.8.gz ./usr/man/man8/ypinit.8.gz ./usr/man/man8/yppasswdd.8.gz ./usr/man/man8/yppush.8.gz ./usr/man/man8/ypserv.8.gz ./usr/man/man8/ypxfr.8.gz ./usr/man/man8/ypxfrd.8.gz ./usr/bin/[ ./usr/bin/kbdrate ./usr/sbin/apmd ./usr/sbin/atd ./usr/sbin/rpc.rstatd ./usr/sbin/rpc.rusersd ./usr/sbin/rpc.rwalld ./usr/sbin/nmbd ./usr/sbin/smbd ./usr/sbin/snmpd ./etc/X11/applnk/Internet/telnet.desktop ./etc/rc.d/init.d/linuxconf ./etc/rc.d/init.d/syslog ./etc/rc.d/rc0.d/K00linuxconf ./etc/rc.d/rc1.d/K00linuxconf ./etc/rc.d/rc2.d/S99linuxconf ./etc/rc.d/rc3.d/S99linuxconf ./etc/rc.d/rc4.d/S99linuxconf ./etc/rc.d/rc5.d/S99linuxconf ./etc/rc.d/rc6.d/K00linuxconf ./etc/sysconfig/soundcard ./etc/conf.modules~ ./bin/fsconf ./bin/netconf ./bin/userconf ./home/david ./home/david/.emacs ./home/david/.bash_logout ./home/david/.bash_profile ./home/david/.bashrc ./home/david/.screenrc ./sbin/askrunlevel ./sbin/dnsconf ./sbin/fixperm ./sbin/mailconf ----------------------------------------------------- END OF THE FILE ANALYSIS