On Thu, Nov 01, 2001 at 05:33:10PM +0100, Sven Michels wrote:

Hi there,

Hi,

i've a old suse box (6.2) which is hacked and rootkitt'ed. the rootkit seams to be a littlebit shitty .. but has a backdoor etc.. i dunno the name of it and found only warnings about the kit while searching the net. if somebody of you have/found more informations about this kit, would be nice to hear from you :) All informations i have is: it creates a directory: /usr/bin/duarawkz has a udp backdoor and uses scripts to hide himself.

during the last few weeks i noticed threads about this rootkit on serveral mailinglists. The rootkit consists of some major parts: * modified applications to hide their running programms, ls,ps - the original ls and ps were moved to /usr/bin/duarawkz and were replaced by wrapper apps - these read the (p|l)s.hidden files in /usr/bin/duarawkz which list the data, that will be hidden by the modified apps - the original ls and ps were copied to /usr/bin/duarawkz * 2 backdoors, dua.udp and a modified login - /bin/login was replaced by a backdoored version which is a wrapper app as well - the backdoored login allows to login without asking for a password, the backdoor looks for the DISPLAY environment variable in which the password has to be saved before logging in, the password to be saved in DISPLAY is saved in /usr/bin/duarawkz/loginpass - the original login was copied to /usr/bin/duarawkz - the dua.udp backdoor binds a shell to port 33991/udp, a simple "echo ls | nc -u <host> 33991" will work depending on what OS you use, nc might be called netcat * eggdrop irc bot - an ircbot runs out of /usr/bin/duarawkz/leaf - its a modified eggdrop bot calling itself "eggdrop v1.4.2+CbS v1.3" - a tcl-script is loaded on bot-startup - the channel-, user and configuration-files as well as the tcl script are encrypted, the logfiles are not encrypted, but don't help any - the scriptkiddies seemed to be pretty dumb, they left the toolkit that builds the configuration file and encrypts it on the box, hence i reverse-engineered it, you can find my work at: http://www.unixisnot4dummies.org in the projects section - with my tool you can decrypt the configuration-, the channel-file and the tcl-script - a lil' ircsniffer helped my finding them and logging some days of their conversation and channel takeovers on ircnet * further hacking tools - in /usr/bin/duarawkz/sploits are 3 exploits, dua.(amd|bnc|pop2) - in /usr/bin/duarawkz/\ / are some pretty interesting things: = 2 encrypted and password protected apps, i assume them to be exploits as well = an ssh exploit, its saying to work for: + 0: linux/x86 ssh.com 1.2.26-1.2.31 rhl + 1: linux/x86 openssh 1.2.3 (maybe others) + 2: linux/x86 openssh 2.2.0p1 (maybe others) + 3: freebsd 4.x, ssh.com 1.2.26-1.2.31 rhl NOTE: Be VERY carefully with this app, its infected by the RemoteShellTrojan (RST) - in /usr/bin/duarawkz/.../ is a fake-identd that helps the kiddies on irc - /usr/bin/duarawkz/dua.strobe is a portscanner - /usr/bin/duarawkz/dua.synscan is a clone of the well known synscan - /usr/bin/duarawkz/dua.mf is a mirkforce binary, used to gather as many ips on its current subnet as possible and use them for irc-clients - /usr/bin/duarawkz/dua.ethclean hides the interface aliases produced by dua.mf - /usr/bin/duarawkz/dua.glox is a cancerserver, pretty annoying thingy I hope this informations and my tool helps someone out there. Being hacked CAN be so much fun. ;-) Bye, Frank -- -- -- | "The price of freedom is eternal vigilance." | | -- Thomas Jefferson | | ------------------------------------------------------------- | |"If we want to avoid zombies, we have to wait for our children"| | -- W. Richard Stevens, | | in "Advanced Programming in the UNIX Environment", p. 281 | -- -- My public key is available at http://www.unixisnot4dummies.org/homy.pgp