[lug] script kiddie
D. Stimits
stimits at attbi.com
Sun Dec 1 12:06:24 MST 2002
jdavis wrote:
> hello,
> While reviewing last nights Snort logs I noticed alot of ssl - slapper
> like activity from one box to my webserver. The box looked to be
> in tyland, so i decided to have a look. a nmap scan of the box in tyland
> showed nothing intresting except that port 2000 was open. so telnetd
> to it and got a shell with apache uid. The shell droped me in / so
> I looked in /tmp to see if any slapper files were there...i didnt see
> any but there was lots of other stuff.
> ...
> -rwxr-xr-x 1 apache apache 2311 Nov 26 23:10 r00t.sh
> ...
> can anyone tell me what r00t.sh does? And how would one go about
> notifing the owners.
It is a popular root kit. It gives full unrestricted root access to
whoever installed it, and usually sniffing ability is added to provide
any passwords that are visible, in order to compromise other machines.
Probably it adds other means of hiding trails and searching for other
machines to compromise. Likely the owner needs to know that every
password entered that went through that machine is known to the
attacker, and if ssh has been replaced, even passwords sent via ssh will
be known. The real owner of the machine really needs to know what is
going on.
D. Stimits, stimits AT attbi.com
More information about the LUG
mailing list