FILES THAT WERE ADDED/MODIFIED BY THE INTRUDER, AND THEIR FUNCTIONS Rootkit in "/usr/man/.Ci": -------------------------- a.sh: Shell script to remove various type of servers, and kill the server services. The list of servers removed are rpc.*, smbd, portmap, nmbd, ypserv, snmpd, atd, lockd, nfsd, rpciod, apmd, amd and amq. addn: Use to add entries of network address that should not be displaced by netstat. It take in input of the form %d.%d, and the input is stored in the file /usr/libexec/awk/addy.awk. addps: Shell script to add entries of process not to be shown by ps or top. The added entries is stored in /dev/ptyp. bx: A popular Unix IRC client, BitchX. chmod-it: A script to change permission of several program to 700. clean: A script to pass argument to the program snap. The list include sshd, log, games, 209.86, own, owned, Pro, snif, ident, splitrock, 209.255, echo. do: A script to "adm1" and "own" accounts from /etc/passwd and /etc/shadow. find: Trojanised version of 'find' to hide files specified in /dev/.oz/r. Not installed. fix: Use to replace actual program with trojan program. The actual program can optionally be stored in a backup directory. The program will also try to change the modified (mtime) and status change (ctime) time of the trojan program to be similar with actual program. inetd: Trojanised inetd. Listens for rfe, talk and ntalk. Not installed. killall: Trojanised killall that prevents killing of services specified in /dev/.oz/p. Not installed. needz: Echoes packages that are needed by that rootkit? pstree: A trojanised version of pstree command. It will not display program listed in the file /usr/man/.p. q: Client for a secure TCP connection suit, Q. qs: Server for a secure TCP connection suite, Q. Not installed. rmS: Shell script to remove some program, which are presumably not required after installation. snap: Shell script to remove line that contain words found in the file "clean" from several log files. These log files are /var/log/secure, /var/log/messages, /var/log/xferlog, /usr/adm/secure, /usr/adm/messages, and /usr/adm/xferlog. snif: Sniffer program that logs selected tcp sessions to ./tcp.log, particularly telnet, ftp, rlogins that reveals usernames and passwords. Based on LinSniffer by Mike Edulla, because 'strings snif' reveals the line "linsniffer.c". tcp.log: Log file of snif. sniff.pid: Stores the PID of the process snif. sp.pl: Perl script to sort output of snif. syslogd: Trojanised syslogd. Function not known, but reads config file /usr/man/.l. Not installed, because the rootkit was looking for /usr/sbin/syslogd, instead of /sbin/syslogd! Directory "/usr/man/.Ci/backup": -------------------------------- Stores original program that have been trojanised. These program are ifconfig, ls, netstat, ps, tcpd, tcp. Directory "/usr/man/.Ci/paki": ------------------------------ slice2: DoS program stream.c: source code of another DoS program. Directory "/usr/man/.Ci/scan/amd/": ----------------------------------- Contains scripts to scan for and exploit the amd vulnerability [1]. a.sh: Exploit script. This script calls 'pscan' to scan a range of class B IP addresses for sunrpc service (port 111). 'pscan' will then call 'ben' to look for availability of the amd (automounter) service. amdx: A remote buffer overflow exploit program for the amd vulnerability. ben: Given a host, checks for availability of amd service. ben.c: Source code for ben. pscan: A scanner that can scan a range of B-class or C-class IP addresses for a particular port. pscan.c: source code for pscan.c, specifically to look for rpc amd service. Directory "usr/man/.Ci/scan/bind": ---------------------------------- Contains a script, ibind.sh, that calls pscan (as above) to scan for Bind vulnerability in a range of hosts. Directory "/usr/man/.Ci/scan/daemon/": -------------------------------------- lscan2.c: Souce code of a port scanner. Read the source code. z0ne: Another port scanner. Directory "/usr/man/.Ci/scan/port/": ------------------------------------ Contains Strobe - a "Super optimised TCP port prober". For more info, just "less strobe.1". Directory "/usr/man/.Ci/scan/statd": ------------------------------------ Contains programs to scan for and exploit rpc.statd vulnerability. Looks like the "Murder Weapon" used to compromise this server. classb: Generates a list of IP addresses for r. r: rpcscan. Scans a list of IP addresses for specified rpc services. statdx: rpc.statd exploit script. Directory "/usr/man/.Ci/scan/wu/": ---------------------------------- fs: A vulnerability scanner that can scan across different OSes. wu: Remote exploit for wu-ftpd vulnerability. Directory "/usr/man/.Ci/scan/x": -------------------------------- pscan and pscan.c: As above, except that it doesn't call ben. x: An X-Windows keyboard logger xfil: Shell script to extract password from output of the program x. xscan: Shell script using pscan to search for host with port 6000 open. Trojanised system programs: --------------------------- /bin/ps: do not display processes listed in /dev/ptyp. /usr/bin/top: do not display processes listed in /dev/ptyp. /bin/ls: do not list files listed in /usr/man/r. /sbin/ifconfig: do not indicate that network interface is in promiscuous mode. /bin/netstat: do not display IP addresses of the form A.B.*.*, where A.B are listed in /usr/libexec/awk/addy.awk. /usr/sbin/tcpd: allow access from hosts or to local ports listed in /usr/man/.a without any logging. So the victim will allow connections from 63.203.*.*, 209.250.*.*, 216.33.*.*, 63.206.*.*, and to ports 113 and 35350. /usr/sbin/in.identd: this has been modified, but doesn't appear to have been trojanised. But IRC clients typically uses this service. So it could be a needed service for bx. /usr/local/sbin/sshd1: trojanised sshd1 that is both a password harvester for incoming ssh sessions, and also allows backdoor access using a magic username and password. Both of these are stored in /usr/tmp/nap. Trojan config files: -------------------- /usr/man/r: config file for ls. /dev/ptyp: config file for top and ps. /usr/man/p: looks similar in function to /dev/ptyp, but not used by ps or top. /usr/libexec/awk/addy.awk: config file for netstat. Others: ------- /etc/rc.d/rc.local: added entry to start sshd1. /usr/man/ /Anap: Script to remove /usr/tmp/nap. /bin/bx: As above. ssh1-related files in /usr/lib, /etc, /root, /usr/local/bin and /usr/local/sbin: trojanised 1.2.27 ssh suite. sshd1 is both a password harvester and a network backdoor. Its log file and a pre-planted username and password are stored in /usr/tmp/nap. In this case, sshd1 is a network backdoor, because no one else knows that sshd1 is running on this server. RPMs: nfs-utils-0.1.9.1-1, wu-ftpd-2.6.0-14.6x, ypserv-1.3.9-1, telnet-0.10-29, screen-3.9.4-3, make-3.77-6, lpr-0.48-1, am-utils-6.0.1s11-1.6.0 NOTE: A) /sbin/syslogd was NOT trojanised, because the rootkit was looking for /usr/sbin/syslogd! Also, no "diff" with a clean copy of syslogd. B) These trojans were installed by /usr/man/.Ci/fix, which is able to fix timestamp and checksums. "diff" is a good way to spot any difference with a clean copy of these programs. C) Most trojans are associated with a config file. One simple way to find them is "strings | grep '/'". This should reveal locations of config files, among other garbage.