Rootkit Detail

ooty.tar.gz:

MD5 SumFilenameDescription
1a9c57979ed70fcd41caec26dd70fba7bigholeThis appears to be bighole.c compiled
4bf5b0e6d4c540116b3ca7ed4450a404bighole.cThis is code for a program to change sush to SUID root
7823c211f547cdede9b0432cd49e6cbebindpar.xParses a string for exploitable versions of sendmail
f64d275b19738aebc92da069ae2ed463CrOnAKKE's simple mail exploit. It calls /tmp/cron_echo every minute (I think)
148ff4debd5b846a9414658c0d3cc2a1crontab.xAnother sendmail exploit from AKKE. It echoes a root account into the passwd file
f3fc545329fd1d04a89ac6806239ab11flare#!/usr/bin/suidperl print "Nothin can stop me now...\n";
a56ae118dd165cc5b19b035d3bebc42e kernel.xThis looks like a program that exploits threads to give a root shell
3b1eaaa9c73575da056c7dc36c0bbe22mail.xSendmail exploit written by Wojciech Purczynski
20324a6bdffe77b00142f965df46d91dmotdRepeats "You were hacked, you should really learn about security" 100 times
ab365efd3c0014ecce29409787e2b141perl.xCreates flare, bighole.c, and sush.c. It makes bighole and sush then starts sush
7df9ef836e85e7d5d6441916c150ecdeprlnx.shOlder version of mail.x
41b8c649ec1c7dcd9eba85171f076d33sushsetuid(0);setgid(0);system("/bin/bash");

copy.tar.gz:

MD5 SumFilenameDescription
97788e18f90279d4d0f4b5ea54db20dcgenerate#Generates a list of ip addresses from $1.0.1 to $1.254.254 in file $2
3e61554860bbcb6d6abf11f1a7951194genmass#Another IP generator
4cfae8c44a6d1ede669d41fc320c7325mj2#These both look like the 'syn' tool from the TFN toolkit. They just send a spoofed
4cfae8c44a6d1ede669d41fc320c7325mj3#SYN packet. http://www.sans.org/y2k/TFN_toolkit.htm
949e8314d867f3ef52d7d7693322a48fprocess_list#Helper program. Turns wu-scan.log into ips.wu
3356953fae17d5d89d3d465179cf7293root_them#Runs ./process_list < wu-scan.log > ips.wu then runs ./xploit -h on each line in ips.wu
985493c7847c3388f9cdc25de98183c9ssh#A trojaned ssh daemon
bdcf49fb2edabc1d57791f2f4823e284suu.tgzNot a tar but a binary that exploits su on red hat 6.2
Doing's code at http://cert.uni-stuttgart.de/archive/bugtraq/2000/11/msg00373.html
d61e3bf9efd12e9a048519bc4d2e5565wu-scanScans for RedHat 6.2 boxes running wu-2.6.0
Source at http://www.epoxysbox.org/files/programs/scanners/wu-scan.c
1846e746acbca03e1aa7a66a1aeac34fzxploitBinary that exploits wu-ftpd 2.6.0 to give you root shell
Source at http://www.securiteam.com/exploits/3V5QGQKQ0C.html
430e2ef18d8152823f64a4a2ae0ac0e6./smrf/smrf5A strong DOS tool
(papa)smurf.c v5.0 by TFreak - http://www.rootshell.com
cf2081a248b9bbdabcb190dbbd40808d./smrf/smurf.ipsA list of 100 ips.

Zer0.tar.gz:

MD5 SumFilenameDescription
de99b735a63b58baf9d0dc8b01f110a9adore.hheader file for the ava rootkit
bcb32fcbe8b054e8e35cc73a4902b016adr2.tgzAdore files
a5fba8f3da0626ab47379c75267bd9a0adr.tgzAdore files
bcf1c8af2be82b08a86d01008cc7209aGoInstall script for adore and hacked SSHD
b0601097a9b8b410c9f7e1619c9aeab3ssh.tgzhacked SSH daemon

tls.tgz:

MD5 SumFilenameDescription
c885a0d5cd3897f2f1d1e4a8ee9865c0lgstriplinsniff log parser hdlp2 by JaV http://63.164.121.201/worms/t0rn/tk/t0rnp
f24f304a2b6fecf31fb1751148d43bfbnscd.initShell script that starts the hacked sshd, runs stad(loads and hides the ava #module) and hides everything listed in (6) of Go
6e7ea425a86bb36d9fdfde4ad11b3513patchdownloads & installs these rpms from redhat site: wu-ftp, bind, imapd, #apache, nfs and sendmail
22c3427789f619297344dcad47417456vrssblog cleaner helper
6c0f96c1e43a23a21264f924ae732273vrssnfsniffer
c1cebc64b46d0027bd21bbb7e2776a13vrssnklog cleaner

Go:

1) killall -9 syslogd and store `pwd` in $pwd
2) checks if tornkit is already installed on this machine
2) checks if the machine is logging to another computer and displays a warning
3) mkdir -p these dirs

/tmp/.dir1touched with /bin
/tmp/.dir2touched with /usr/X11R6/bin
/tmp/.dir3touched with /etc/rc.d/rc3.d
/usr/X11R6/lib/X11/.~/
/usr/X11R6/bin/.,/copy/adr/
/dev/rd/sdc0/
/usr/info/.t0rn


4) copies /bin/bash to /usr/X11R6/bin/.,/copy/zsh, chmods it to 7777 then runs it
5) untars ssh.tgz to $pwd/.t0rn and moves .t0rn/sharsed to /usr/X11R6/bin/.,/copy/adr/nscdx
6) runs .t0rn/shsml $1 (FIND OUT WHAT THIS DOES!!!)
7) moves .t0rn/shhash to /etc/ttyhash
8) moves .t0rn/adr.tgz and .t0rn/tls.tgz to /usr/X11R6/bin/.,/adr/ and then untars them there.
9) moves /usr/X11R6/bin/.,/adr/nscd.init to /dev/rd/nscd.init
10) it then gets a user specified port(24) or defaults to 6666
11) it then moves sharedsed, shhk, shrs, shhk.pub and shsml to /usr/info/.t0rn
12) it then adds /dev/rd/nscd.init to /etc/rc.d/rc3.d/S50inet and runs /usr/X11R6/bin/.,/copy/adr/nscdx -q (quiet, no logging)
13) then it echoes computer info such as IP, hostname, bogomips, alternative IPs, the redhat distro info and some ipchains lines
14) checks if you have make. If you don't, it downloads it for you redhat site rpm-style.
15) it'll then check if you have gcc. If not, it downloads the rpm from the redhat site.
16) the script then installs adore(0.39) rootkit. For anyone not familiar with it, here's the usage:

Usage: adore {h,u,r,R,i,v,U} [file, PID, or dummy (for U)]

h hide file
u unhide file
r execute as root
R remove PID forever
U uninstall adore
i make PID invisible
v make PID visible


17) the script'll then start ava (the frontend to adore) and start a sniffer(vrssnf logging to /usr/X11R6/bin/.,/copy/adr/tcp.log
18) it'll then use ava to hide the following:

/usr/X11R6/bin/.,
/usr/info/.t0rn
/dev/rd/sdc0
/dev/rd/nscd.init
/etc/rc.d/rc3.d/S50inet
/usr/X11R6/lib/X11

19) it then executes a log cleaner, vrssnk
20) it then echos "uucp" into /usr/X11R6/lib/.~/l.no
21) next, it touches /etc/pam.d/ and /etc/pam.d/* with /etc/default
22) it'll then chown uucp.uucp /usr/X11R6/lib/X11/.~/l.no and s.no (I'm not sure where s.no came from)
23) it then runs vrssb login, ftp and dns. This erases lines with the words login, ftp or dns from the /var/log/*(simplified).
24) next, it deletes all the *.c, *.h, *.tgz and other unneeded files.
25) then it kills .bash_history and links it to /dev/null
26) next it reverses the touches it made in step 3, touches /etc with /root and deletes /tmp/.dir*
27) then you're in trouble