Root Kit Information

plug-discuss@lists.plug.phoenix.az.us plug-discuss@lists.plug.phoenix.az.us
Wed, 23 Oct 2002 16:44:41 -0700 

This box has been offline (actually powered off) for several weeks and I'm just now getting around to performing some 
analysis on it.  When I discovred some strange behavior with some of the system utils (ps, ls, etc) I became suspious 
and pulled the network connection.  After saving some static html files, I powered the unit off.
>From my reading on the web regarding ShowTee, I've confirmed everything you mentioned below.  I believe they got in via 
a vulnerable version of wu-ftpd.  This server was running 2.6.0 (I believe).


Do you think that this root kit would be able to capture passwords from other hosts on the network?  For example: while 
this infected box was on the network, it captured the login password from the infected box.  Could it have captured 
passwords when I logged into another machine on the network?

I have changed passwords for all the boxes on the network just to be safe.
Thanks,
Peter


On 23 Oct 2002 at 15:03, Gary Nichols wrote:

> On Wed, 23 Oct 2002 az_pete@cactusfamily.com wrote:
> > Does anyone know if there is a website that has info about root kits. One of my servers was infected with the ShowTee 
> > root kit.  I did find some info about ShowTee by searching on google, but it wasn't as helpful as I'd have hoped.
> > I'm looking for something similar to Symantec's Virus Encyclopedia, where I can type in the name of a virus and I get 
> > detailed info about how it spreads, what type of files it infects, how to clean it and any variants of the virus.
> > Is there such a site for root kits?
> 
> I take it the server is offline now?  Did you figure out how the attacker 
> got the rootkit on your box?  
> 
> Showtee is a nasty kit.  It lets the attacker plant ssh and telnet 
> backdoors into systems.  
> 
> What's worse?  It includes an ssh binary which captures login 
> credentials that mails the captured booty to the attacker.  
> 
> Showtee is also bi-polar.   Not only does it locate exploitable services 
> and vulnerabilities on your system, it fixes them so other hax0rs can't 
> take over your box while the attacker controls it.
> 
> 
> --
> Gary Nichols RHCE
> http://www.linuxchimp.com
> 
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
>