i found one of my boxes was cracked (probably due to the BSD telnetd overflow).
in any case, i found a file in the cracker's directory containing what i think
is a list of other servers which might be hacked.
i think the list also includes the passwords for using the trojan.
on my server, i found a trojan daemon, allowing ssh on an 14000 series port.
i was gonna just post the list of hosts here, but then, maybe not.
what is the appropriate feeling?
Suggest you first notify CERT. If the list is manageable in size, perhaps
you may also want to write to the sysadmins/network owners whose boxen
were compromised. Publishing such list in the open may not be such a hot
idea, for obvious reasons...
--Mitch
NetSide
Private distribution via EMAIL or "Sign Here & Download"
A bit of hassle but perhaps wise to avoid ire of those listed.
..mike..
I'd try to contact the owners of the systems in the list personally.
Posting such a list of machines thought to be cracked would accomplish
little except getting those machines further probed/attacked.
I would suggest trying to see what domains the IPs belong to and just
shoot out some mail to root@/admin@/hostmaster@ or any other likely
admin accounts with a heads up.
Jim-
How about instead posting information to help other admins
identify the trojan daemon so we can check our own machines?
David Leonard
ShaysNet
Also, why not do whois lookups on those hosts and email appropriate
people?
ok, having seen numerous comments (and numerous requests for the file), i
have decided to punt the list to cert.org and let them deal with it.
- as much as i'd like to, i don't have the time/energy to run through
the list and contact each netadmin. i've walked that trail before
while attempting to nip a few DoS attacks.
- i will not send the list to anyone other than cert, unless suggestions
can be made for other "authorative" groups who will maybe pick up
the task of contacting the netadmins in the list
my suspicions and some things to look for:
- boxes were comprimised using the buffer overflow in telnetd (speculation)
- my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary)
- nscd appears to be a hacked sshd, listening on a 14000 series port
- it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*)
- there was a file in /dev/ptaz which appeared to be DES crypto gunge
- there were a bunch of irc/eggdrop related files in a ".e" directory of
one of the user's $HOME
suggestions for looking about:
- do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files
with the same timestamp
- do a "du /dev" and look for anomalies
- do a "cd /dev ; ls -l | grep -e-" and look for anomalies
- do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies
The CERT/CC is aware of some level of automated exploitation of
the recently described telnetd vulnerability. If folks have yet
to patch systems for that particular vulnerability, it would be
a good thing to spend time doing. We've seen it used to deploy
DDoS-capable tools, for example.
More info on the vulnerability at:
http://www.kb.cert.org/vuls/id/745371
Kevin