#21 New backdoor/rootkit

main
closed
unSpawn
Rkhunter (37)
5
2010-03-15
2010-01-23
No

Several servers (it seems especially ones by 1and1) have been attacked with a new app that tries to gain access to other servers via brute-force ssh logins.

While rkhunter exposed the files as unknown, it did not identify them as attack.

/dev/shm/s.jpg contained a compressed archive that got extracted into /dev/shm/scan

/dev/shm/scan included a copy of sshd as well as a copy of ssh renamed to ss:

s15337778:/dev/shm/scan # ll
total 2364
-rwx--x--x 1 test psacln 416 2008-07-10 02:32 a
-rwx--x--x 1 test psacln 91 2005-12-23 16:15 go.sh
-rw-r--r-- 1 test psacln 2095 2010-01-23 00:15 nobash.txt
-rw-r--r-- 1 test psacln 17 2010-01-23 07:11 pass.txt
-rwxr-xr-x 1 test psacln 167964 2001-03-16 17:47 pico
-rw-r--r-- 1 test psacln 84476 2008-09-10 17:01 pico.jpg
-rwx--x--x 1 test psacln 5944 2005-05-16 00:05 pscan2
-rwx--x--x 1 test psacln 5789 2007-08-03 10:15 pscan2.c
-rwxr-xr-x 1 test psacln 888 2007-05-28 15:34 scanB
-rwxr-xr-x 1 test psacln 249980 2001-02-13 13:36 screen
-rwx--x--x 1 test psacln 458068 2005-12-23 16:11 ss
-rwx--x--x 1 test psacln 1384518 2005-06-05 22:24 sshd
-rwxr-xr-x 1 test psacln 2918 2008-07-10 02:18 start

Discussion

  • unSpawn

    unSpawn - 2010-01-24

    FWIW looks like a common toolkit to me. Given the UID and GID of the files you may have other problems (PHP?) besides SSH attacks. Please attach original "/dev/shm/s.jpg" and bzipped tarball of "/dev/shm/scan".

     
  • unSpawn

    unSpawn - 2010-01-24
    • assigned_to: nobody --> unspawn
     
  • Daniel F. Kudwien

    Unfortunately, I don't have that fake-archive /dev/shm/s.jpg anymore.

    I'll also attaching the new archive. What's wrong with the gzipped tarball I attached previously? I'd like to know for the future.

     
  • unSpawn

    unSpawn - 2010-01-25

    Uh. Didn't notice it. Sorry. Looking now.

     
  • unSpawn

    unSpawn - 2010-01-25

    Could you attach a tarball that has the missing sshd, ss(h), and screen?

     
  • Daniel F. Kudwien

    I have attached screen and ss(h) now, but sf.net doesn't allow me to attach the sshd due to max file size restrictions. I don't know whether there is a common way to split a tar archive into multiple volumes...?

     
  • unSpawn

    unSpawn - 2010-03-15
    • status: open --> closed
     
  • unSpawn

    unSpawn - 2010-03-15

    [00:00:01] Performing check of files with suspicious contents
    [00:00:01] Info: Starting test name 'suspscan'
    [00:00:02] Directories to check are: /dev
    [00:00:02] Temporary directory to use: /dev/shm
    [00:00:02] Maximum file size to check (in bytes): 10240000
    [00:00:02] Score threshold is set to: 200
    [00:00:05] Checking directory: '/dev'
    [00:00:05] File checked: Name: '/dev/shm/scan/scanB' Score: 0
    [00:00:05] File checked: Name: '/dev/shm/scan/pass.txt' Score: 0
    [00:00:05] File checked: Name: '/dev/shm/scan/pscan2' Score: 151
    [00:00:05] File checked: Name: '/dev/shm/scan/pico' Score: 205
    [00:00:05] Warning: File '/dev/shm/scan/pico' (score: 205) contains some suspicious content and should be checked.
    [00:00:05] File checked: Name: '/dev/shm/scan/go.sh' Score: 10
    [00:00:05] File checked: Name: '/dev/shm/scan/pscan2.c' Score: 252
    [00:00:05] Warning: File '/dev/shm/scan/pscan2.c' (score: 252) contains some suspicious content and should be checked.
    [00:00:05] File ignored: wrong type: '/dev/shm/scan/pico.jpg': 'gzip compressed data, from Unix, last modified: Day Mon 00 00:00:00 0000'
    [00:00:05] File checked: Name: '/dev/shm/scan/nobash.txt' Score: 110
    [00:00:05] File checked: Name: '/dev/shm/scan/start' Score: 20
    [00:00:05] File checked: Name: '/dev/shm/scan/a' Score: 220
    [00:00:05] Warning: File '/dev/shm/scan/a' (score: 220) contains some suspicious content and should be checked.
    [00:00:05] Warning: Checking for files with suspicious contents [ Warning ]

    While 3 out of 10 files isn't as good as one would hope it does show that suspscan() *will* alert you finding items. The kit itself isn't a rootkit or something new but a sub-set of the usual array of scanners.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks