[plug] Just got rooted

David Broadway djnitrous at hotmail.com
Mon Apr 1 14:02:26 WST 2002 

SPECS --> rootkit infection files, machine details.

So far from some of the logs I've check up on I see:

Mar 29 01:13:16 rhserver1 sshd[8350]: log: Connection from 194.176.174.94
port 2198
Mar 29 01:13:26 rhserver1 sshd[8350]: log: Could not reverse map address
194.176.174.94.
Mar 29 01:14:08 rhserver1 sshd[8350]: log: Closing connection to
194.176.174.94

The IP: 194.176.174.94

Has a Non-authoritative answer:
94.174.176.194.in-addr.arpa     name = stop-and-shop13.hd.ro

Which is NON-reverseable
** server can't find stop-and-shop13.hd.ro

Now note of the number '13', in that address.

Where was a returned email that was sent from my machine, from root, to
cuceritor13 at k.ro
www.k.ro (Free email service)
The email contained, CPU info, df, info, ping to rc3.yahoo.com, and this
message at the bottom.

* Shell-ul a fost patch-uit pentru Statdx si Wu-Ftp ...
******************************************************************
* IN CAZ DE BELEA MAI AI DESCHIS PE PORT TELNET ***** UN BACK-DOOR
******************************************************************

Translated back in to english is:
THE SHELL WAS PATCHED FOR USING Statdx AND Wu-Ftp
IN CASE YOU RUN INTO TROUBLE, THERE IS STILL TELNET FOR A BACK DOOR.

Later on I DENYed call conection and endup getting this:

Denied packets from 194.176.174.94.
Port 2 (tcp,ppp0,input): 1 packet(s).
Total of 1 packet(s).

Maybe, a sshd was installed on Port 2 ?

Machine Details:
RH7.2
Did have wu-ftp (not sure about the version) whatever came installed with
RH7.2

Files found to be located on the machine

Under the root directory of the FTPd there was /cuceritor.tar.gz
and that was unpacked to /.trei

Later on found, /var/spool/cron/.../        a directory with 3 dots.

Back to the log

SSHD Started: 1 Time(s)
    Connections:
        194.176.174.94: 1 Connection(s)


Would anyone know on how to check that IP, to see if its a static or not?
I'm guessin its a static coz when I hocked my box up to my NAT I after a
fresh reboot, it was runing to connect to that IP, well firstly it was
trying to DNS it, but couldn't since the machines weren't connected the the
internet. but yeh, I see it was trying to conect there

Can anyone do a strob on that IP to check it out?

Regards,
David

More information about the plug mailing list