[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Long Exim break-in analysis

On Wed, Dec 22, 2010 at 01:42:03PM +0200, Izak Burger wrote:
> The usual process related things replaced:
> free  pgrep  pmap  skill    snice   tload  uptime  w
> kill  pkill  ps    slabtop  sysctl  top    vmstat  watch

This looks like the rootkit I found somewhere in the internet:
| 137a3bbda16034d34307a9d686e6fdb45b3c8683  procps/free
| 5db25350dd15d3f1e63a4ff44fa85b72c21df72d  procps/kill
| eeab165a2cf06feb327fa996f35271c076e992bc  procps/pgrep
| eeab165a2cf06feb327fa996f35271c076e992bc  procps/pkill
| a6569d433351bba70ae55738b47267bf2514e27e  procps/pmap
| 074896d923ec652046c60cdcd254ff01c497bee9  procps/ps
| bbb33300c5d8f53a60fe472b6b879c9853b26c57  procps/pwdx
| 5db25350dd15d3f1e63a4ff44fa85b72c21df72d  procps/skill
| bd8e998354f28f5f7216688f3a4b6e4007170d63  procps/slabtop
| 5db25350dd15d3f1e63a4ff44fa85b72c21df72d  procps/snice
| bbf9b74494b4669c663c19cc53fd1fef9e585d2a  procps/sysctl
| c32f4ed4efa1305a2e9876b640e90fb9836a9f05  procps/tload
| 3c84c94470376612507d39fbe7a227465a516525  procps/top
| eb17b3b64913e7fa0d4b43a467a2548f96670a2e  procps/uptime
| 9815f97ed37553c7915e2e35dfaadab796aac864  procps/vmstat
| f7754627d890a393f0a917eaebbffdf458b6ce4d  procps/w
| c480eefa72eb62183fb6e26cd8d68c58fefc26e0  procps/watch

The initial checks shows 32-bit static binaries, built on RHEL 4, update
7 and 8.

But it also adds this to the startup scripts:
| /usr/sbin/iptables -I OUTPUT 1 -p tcp --dport 45295 -j DROP

The only reference I found is another remote shell somewhere in 2003.

> The rest of the machine appears untouched, but I'll probably reinstall anyway.

Something left behind in /var/spool/exim4?


You're too beautiful to ignore.  Too much woman.
		-- Kirk to Yeoman Rand, "The Enemy Within", stardate unknown

Reply to: