Dear Network Admin at B-Line Technical Services,
It has come to our attention that someone from a host ( IP address 207.35.251.172) under your management has launched an attempt to compromise one of our server at 192.168.1.102.
As recorded by our intrusion detection system, we have recorded an attack launched from this host against the FTP service of our server at 19:52:51 of September-16, 2001. Now, we do not believe this is done with your knowledge, but we are concerned that you are also a victim of this cracker's act. Please double check your user database on this host to ensure no authorized accounts were created, and please ensure you do not have any un-authorized services listening on port 24 and/or port 6666 of this host.
The tool used by this cracker is one commonly known as t0rnkit, and this is what was documented about this tools:
- killing syslogd
- alerting the intruder to remote logging facilities by searching the syslog configuration file for the '@' character
- storing an intruder-supplied password for trojan horse programs in /etc/ttyhash
- installing a trojan horse version of sshd configured to listen on an intruder-supplied port number with intruder-supplied SSH keys stored in a directory named '/usr/info/.t0rn'. The trojan horse binary is installed as /usr/sbin/nscd and started using '/usr/sbin/nscd -q'. The same command is appended to /etc/rc.d/rc.sysinit to start the daemon at system boot time.
- locating trojan horse configuration files to hide file names, process names, etc. in a directory named '/usr/src/.puta'
- replacing the following system binaries with trojan horse copies
/bin/login
/sbin/ifconfig
/bin/ps
/usr/bin/du
/bin/ls
/bin/netstat
/usr/sbin/in.fingerd
/usr/bin/find
/usr/bin/top
- installing a password sniffer, sniffer logfile parser, and system logfile cleaning tool in /usr/src/.puta
- attempting to enable telnet, shell, and finger in /etc/inetd.conf by removing any leading '#' comment characters
- alerting the intruder about the word 'ALL' appearing in /etc/hosts.deny
- some versions attempt to patch rpc.statd and wu-ftpd with versions that are not vulnerable.
- restarting /usr/sbin/inetd
- starting syslogd
For a detail discussion of this t0rnkit and/or the possible method for which your host might have been compromised, please refered to CERT Incident Note IN-2000-10 @ http://www.cert.org/incident_notes/IN-2000-10.html.
Please feel free to contact me if you should require further information about how to remove the backdoor this cracker has left behind. For the time being, please remove the un-authorized user accounts from this host and patch it with the latest patches that is available to your system.
Yours truly,