Drew B. [Security Expertise/Freelance Security research].
2005-May-14 08:29 UTC
Need some help
Hello, I would like to ask for some specialist assistance in dissecting a 'rootkit' (seems to be massmailing specific,crafted somehow from another kit perhaps) It was found running on 5.x machines belonging (sofar) to my knowledge, 2 companies,one of wich was an isp and another a webhosting service running bsd. I will provide the kit and further details as soon as i am sure the thing will be dealt with by someone official. Being properly examined so all exploits within it can be marked out,whether new and/or old-modified is important and I cannot successfully complete dissection with my current equipment. The atacks are still happening, the familiar 'ebay' login page or paypal, however, the bug itself is Linux-platform speciic, extremely stable, and extremly hard to remove. Anyone interested who has the abality,especially an A/V tech/worker with a certificate from the company or atleast email header,or anyone associated that can link this to freebsd security offically. I can confirm that it is stable and running on v5.x FreeBSD now, and have no idea how long it has been around. Regards, (&&assist) -------------------------------------------------------------------- Drew B. Independant Security analysis,for Aussies. Security researcher/expert,threat-focus,Freelance.
Drew B. [Security Expertise/Freelance Security research].
2005-May-14 18:21 UTC
Need some help
Thankyou, I will send you the mailer 'kit' and the optional information regarding the extern dependancies, and a referrer incase you need to know more info. The files are complete and intact (the kit was found before the people had a chance to rm a thing). Notes for others (security minded) while this kit is examined more :: It was not well installed, a better trained Unix user would have made this thing extremely well hidden (the installation was the main reason the machine was even seen,i suspect this would be running nice and safe on many other mail apps, and even now i have started to see a qmail.* ebay-spoof,so perhaps they hve even patched) This was a 'good' coder/s, but they obviously have some trouble with facets of running/maintaining a fBsd machine using Qmail. The webdownload info (3 sites it somehow uses),and 5 irc servers on Undernet.org seem to be the actual source of the controlling. As mentioned,its unfound and the closest I could get to examining it was after many many hours and alot of help and use of rKhunter. The only reason i have not forwarded this to an A/V company is my lack of faith in them,and simply no time, my apoogies. For the A/v who are keen to improve theyre apps; The FreeBSD Port of F-Prot was running nice and happily alongside it:(. (The app that actually spotted the malfunction after running tests seem to be rKhunter,but that only displays some 'possibles' , as mentioned,it will run happily with F-prot,hence i assume it has been encrypted well). Also, strangely, It shows up as an 'infected' file using a heuristics test with AVG (www.grisoft.com) on Windows,using theyre "free" version. Regards, Drew B. PS: Excellent job with rKhunter,I look forward to any help i can give and get from rKhunter :-) , regarding 'spare time' i would help gladly. Expect the complete kit in 20mins max Michael,again thankyou. On 5/15/05, M. Boelen <michael@rootkit.nl> wrote:> Hi, > > I'm the author of Rootkit Hunter, and ofcourse interested. Unfortunately > I can't promise you to investigate it (within a small amount of time--> > due to my spare time..). If you want, you can also send me the file(s) > later. > > If you decide to give me a copy, please password-protect the files > (rar/zip archive). > > Michael > Rootkit.nl > > > Hello, > > I would like to ask for some specialist assistance in dissecting a > > 'rootkit' (seems to be massmailing specific,crafted somehow from > > another kit perhaps) > > > > It was found running on 5.x machines belonging (sofar) to my > > knowledge, 2 companies,one of wich was an isp and another a webhosting > > service running bsd. > > I will provide the kit and further details as soon as i am sure the > > thing will be dealt with by someone official. > > Being properly examined so all exploits within it can be marked > > out,whether new and/or old-modified is important and I cannot > > successfully complete dissection with my current equipment. > > The atacks are still happening, the familiar 'ebay' login page or > > paypal, however, the bug itself is Linux-platform speciic, extremely > > stable, and extremly hard to remove. > > Anyone interested who has the abality,especially an A/V tech/worker > > with a certificate from the company or atleast email header,or anyone > > associated that can link this to freebsd security offically. > > I can confirm that it is stable and running on v5.x FreeBSD now, and > > have no idea how long i has been around. > > Regards, > > (&&assist) > > -------------------------------------------------------------------- > > Drew B. > > Independant Security analysis,for Aussies. > > Security researcher/expert,threat-focus,Freelance. > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > >-- -------------------------------------------------------------------- Drew B. Independant Security analysis,for Aussies. Security researcher/expert,threat-focus,Freelance.
"Drew B. [Security Expertise/Freelance Security research]." <d4rkstorm@gmail.com> writes:> I would like to ask for some specialist assistance in dissecting a > 'rootkit' (seems to be massmailing specific,crafted somehow from > another kit perhaps)Uninformed people would think it logical to contact the FreeBSD Security Officer (so@freebsd.org) before discussing security issues publicly. Of course, being a security expert, you know better than those uninformed people. DES -- Dag-Erling Sm?rgrav - des@des.no