[lug] What does this mean?

matthew.w.mcillece at lmco.com matthew.w.mcillece at lmco.com
Wed Mar 22 12:27:42 MST 2000 

You mentioned that you were first tipped off by the unusual entry you found
in your nameserver.  Could you be more specific about where you discovered
this entry?  What file would I need to look in on my hard disk to check for
the presence of such an entry?

> -----Original Message-----
> Date: Tue, 21 Mar 2000 12:32:46 +0100
> To: lug at lug.boulder.co.us
> From: Samartha <qwerty at pobox.com>
> Subject: RE: [lug] What does this mean?
> Reply-To: lug at lug.boulder.co.us
> 
> At 01:39 AM 3/21/00 -0700, you wrote:
> >After some investigating, I managed to get a hold of the utility that was
> 
> >run on my system.
> >What is this doing? Please bear with me :)
> >Thanks,
> >Shannon
> >
> ># ./fix /bin/ps backdoor/ps /usr/lib/ldlibps.so
> ># ./fix /bin/netstat backdoor/netstat /usr/lib/ldlibstat.so
> 
> looks as if somebody has fixed up some programs on your machine.
> 
> What a rootkit does is to create a hidden backdoor to obtain root access
> to 
> your
> machine at will.
> 
> see:
> 
> http://www.rewted.org/utilities/rootkits/
> 
> take the lrk4, unpack it and look at the code to give you an idea.
> 
> How it is done is by replacing basically all essential system programs
> (ls, du, ps, login, tar find, netstat ...) with trojans to hide
> 
> a.) a hidden directory (sometimes ...) where all stuff is kept
> b.) the existence of trojans
> 
> by reporting the correct file sizes, checksums and disk usage so
> one won't notice the existence of a root compromise and hide the
> existence of the intruder and it's tools.
> 
> The only way to circumvent the compromise is to use clean programs
> by possibly booting from another disk.
> 
> Reinstall from scratch and restore from a backup done before the
> compromise
> and patching the holes where they came in may be a good way to get our of
> this.
> 
> I had a root compromise with lrk4 and they were running a ./fix on
> programs
> to make replace them with trojans or change some bytes to generate
> a correct checksum.
> 
> It's really bad then you find that your ls does not show you everything or
> 
> lies about
> file sizes.  The trojans are significantly larger than the originals.
> 
> Write down the hours it takes you to recover and the damage you suffer, if
> 
> you have any traces where they came from and if they are in your state,
> you 
> may sue them for damages.
> 
> also, see:
> 
> http://www.cert.org/tech_tips/root_compromise.html
> 
> Samartha
>

More information about the LUG mailing list