Root Kit Information
Gary Nichols
plug-discuss@lists.plug.phoenix.az.us
23 Oct 2002 22:21:22 -0700
On Wed, 2002-10-23 at 16:44, az_pete@cactusfamily.com wrote:
> This box has been offline (actually powered off) for several weeks and I'm just now getting around to performing some
> analysis on it.
Ah, yes - I remember you mentioning this on the list (or someone else
had the same problem).
>When I discovred some strange behavior with some of the system utils (ps, ls, etc) I became suspious
> and pulled the network connection. After saving some static html files, I powered the unit off.
> >From my reading on the web regarding ShowTee, I've confirmed everything you mentioned below. I believe they got in via
> a vulnerable version of wu-ftpd. This server was running 2.6.0 (I believe).
UGH. Don't you hate it when you're right? :-)
> Do you think that this root kit would be able to capture passwords from other hosts on the network? For example: while
> this infected box was on the network, it captured the login password from the infected box. Could it have captured
> passwords when I logged into another machine on the network?
Absolutely - I'd scan all your other machines quickly and make sure your
security updates are recent.
Are these boxes behind a proxy and/or firewall? You might want to check
logs to see if any 'strange' traffic originated from that box (and
others).