twitch@Stealth -- what is this?

techra · 09-16-2004, 02:49 PM

This morning we found a nice program taking up all system resources on a box. I've googled around for this program and can't find anything about it.

Somehow some Brazillian got into our system, created an account called apachi and began scanning around for .db files -- we figured looking for credit cards. We have none stored.

Anyway, the program that was running was in /tmp -- "st" it was called. We copied it over to an isolated machine and ran it with --help.

It says:

twitch@Stealth
warning this program is very dangerous
run as
st-kill <host> <port>

The twitch@Stealth part is done in K-RAD ansi colors.

We can't figure out exactly what it does or what it was used for. The hacker also put in a directory in /tmp called .sux -- inside a file.sh in Portugese which I cannot fully translate. This is where the *.db lookups were and scanning httpd files.

Anyone seen this yet? Where do I properly report it? Can't find anything on google about it at all, and we want to know how this got here, what it was doing, and why.

Thanks for any help.

Taylor

Capt_Caveman · 09-16-2004, 11:49 PM

I believe that's a flooder:
http://www.netsys.com/full-disclosur.../msg00715.html

Sounds like you got a several cracking tools installed on your system. You should take it offline immediately and do a full format and re-installation from trusted media (not from a backup). When you re-install, make sure to immediately update the packages on your system or download the patches before hand and burn them to a cd and install before even putting it back online. Also consider all passwords and authentication tokens on that system to be compromised as well. You should also verify that any machines that have been in contact with this one are not compromised as well (having traffic sniffed and keystokes logged is becoming much more common).

If you'd like to do some forensic analysis on the system (see what's installed, try and find the means of entry, etc) you should really make a bit-by-bit copy of the drive and work with that instead. But you will absolutely need to take your system offline immediately and re-install.

If you wish to report it, you can contact you ISP as well as the ISP of the intruder. Usually providing them with any relevant logs can be helpfull. Otherwise chalk it up as a learning experience and spend some time securing your box to prevent it from happening again.