asked on

Looking for info on a hacker who didn't cover his tracks

I had an unnamed client that was attacked a while back and it's still bothering me. Before I formatted the HDD and reinstalled Linux I was able to get the following 9 recent commands from .bash_history and list all the files he installed. Does anybody know if this was a packged exploit / script kiddy special? I personally haven't found much info on this software - and I am quite experienced with Linux Network Security. Thanks in advance for your input!

1 rm -rf /var/log/*
2 rm -rf .bash_history
3 cd /var/rlk/dos
4 ./vadimI 213.25.210.180 6667 yachoo.com
5 w
6 ./vadimI 213.25.210.180 6667 yachoo.com
7 cd /var/rlk/dos
8 ls
9 ./vadimI 213.25.210.180 6667 yachoo.com

total 792
drwxr-xr-x 5 root root 4096 Oct 6 17:01 .
drwxr-xr-x 23 root root 4096 Oct 6 16:52 ..
drwxr-xr-x 2 root root 4096 Oct 31 2000 dos
-rw-r--r-- 1 root root 418894 Sep 19 01:36 psotnic-static.tar.gz
-rw-r--r-- 1 root root 200198 Sep 19 01:36 psotnic.tar.gz
-rw-r--r-- 1 root root 21638 May 29 2004 smeh.tar.gz
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 x2k3
-rw-r--r-- 1 root root 58638 Jul 26 00:34 x2k3.tar.gz
drwx------ 2 666 wheel 4096 Oct 6 16:57 xmen
-rw-r--r-- 1 root root 62485 Jul 24 16:27 xmen2.tar.gz

dos:
total 96
drwxr-xr-x 2 root root 4096 Oct 31 2000 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw-r--r-- 1 512 512 31909 Oct 31 2000 broadcast.txt
-rw-r--r-- 1 root root 2885 Sep 24 2000 madscan.c
-rwxr-xr-x 1 root root 8268 Aug 18 2000 slice2
-rw-r--r-- 1 root root 19008 Sep 24 2000 smurf6-linux+LPG.c
-rwxr-xr-x 1 root root 13687 Aug 18 2000 vadimI
-rwxr-xr-x 1 root root 2635 Aug 18 2000 vadimI.c

x2k3:
total 40
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 bind
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 ftp
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 gkr
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 identd
-rwxr-xr-x 1 1258 104 11618 Jul 2 2003 r00t
lrwxrwxrwx 1 root root 4 Oct 6 17:01 rlk -> r00t
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 samba

x2k3/bind:
total 56
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 19883 Jun 28 2003 bind9
-rwxr-xr-x 1 1258 104 14370 Jul 1 2003 mass_bind
-rwxr-xr-x 1 1258 104 10309 Jul 1 2003 trybind

x2k3/ftp:
total 72
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 33253 Jul 1 2003 7350wurm2
-rwxr-xr-x 1 1258 104 14369 Jul 1 2003 mass_ftp
-rwxr-xr-x 1 1258 104 10428 Jul 1 2003 tryftp

x2k3/gkr:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14253 Jul 1 2003 gkr
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_gkr
-rwxr-xr-x 1 1258 104 10516 Jul 1 2003 trygkr

x2k3/identd:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14051 Jul 2 2003 identd12
-rwxr-xr-x 1 1258 104 14371 Jul 2 2003 mass_ident
-rwxr-xr-x 1 1258 104 10462 Jul 2 2003 tryident

x2k3/samba:
total 68
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_samba
-rwxr-xr-x 1 1258 104 29516 Jun 27 2003 sambal
-rwxr-xr-x 1 1258 104 10326 Jul 1 2003 trysamba

xmen:
total 1436
drwx------ 2 666 wheel 4096 Oct 6 16:57 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw------- 1 666 wheel 10510 Aug 7 2003 HOWTO
-rw------- 1 666 wheel 1380 Aug 7 2003 LICENSE
-rw------- 1 666 wheel 244 Aug 7 2003 Makefile
-rw------- 1 666 wheel 573 Aug 7 2003 README
-rw------- 1 666 wheel 27 Aug 7 2003 TODO
-rw------- 1 666 wheel 11322 Aug 7 2003 action.c
-rw------- 1 666 wheel 287 Aug 31 2002 action.h
-rw-r--r-- 1 root root 7184 Oct 6 16:57 action.o
-rw------- 1 666 wheel 8059 Aug 7 2003 clones.c
-rw------- 1 666 wheel 817 Sep 10 2002 clones.h
-rw-r--r-- 1 root root 10828 Oct 6 16:57 clones.o
-rw------- 1 666 wheel 67133 Aug 7 2003 command.c
-rw------- 1 666 wheel 1916 Aug 7 2003 command.h
-rw-r--r-- 1 root root 103476 Oct 6 16:57 command.o
-rw------- 1 666 wheel 2678 Aug 31 2002 defs.h
-rw------- 1 666 wheel 709 Oct 29 2002 hide.info
-rw------- 1 666 wheel 1473 Aug 31 2002 hide.realnames
-rw------- 1 666 wheel 2754 Aug 31 2002 hide.reasons
-rw------- 1 666 wheel 20569 Aug 7 2003 irc.c
-rw------- 1 666 wheel 2961 Sep 1 2002 irc.h
-rw-r--r-- 1 root root 14680 Oct 6 16:57 irc.o
-rw------- 1 666 wheel 16625 Aug 7 2003 main.c
-rw------- 1 666 wheel 1667 Sep 1 2002 main.h
-rw-r--r-- 1 root root 17012 Oct 6 16:57 main.o
-rw------- 1 666 wheel 38233 Aug 7 2003 parse.c
-rw------- 1 666 wheel 204 Aug 31 2002 parse.h
-rw-r--r-- 1 root root 47176 Oct 6 16:57 parse.o
-rwxr-xr-x 1 root root 119128 Oct 6 16:57 xmen
-rw------- 1 666 wheel 831728 Nov 4 2002 xmen.debug
-rw------- 1 666 wheel 396 Oct 29 2002 xmen.info
-rw------- 1 666 wheel 1824 Aug 7 2003 xmen.logo-harhar
-rw------- 1 666 wheel 942 Aug 31 2002 xmen.nicks
-rw------- 1 666 wheel 647 Aug 31 2002 xmen.realnames
-rw------- 1 666 wheel 872 Aug 31 2002 xmen.reasons
-rw------- 1 666 wheel 4206 Aug 7 2003 xor.c

m1tk4

vadimI is a network flooder used for DDoS attacks. The rootkit they used is called x2k3. Google it up - ExEx is not a good place to place links to h4x0r sites;)

kamermans

ASKER

Good point about the links - I'm not really looking for links anyway. After some questionable searching ( :D ) I was able to download x2k3, xmen2, psotnic and a DoS util similar to the one found in 'dos'. Any idea what smeh is? I am interested in this because this client is of importance to the DoD.

ASKER CERTIFIED SOLUTION

m1tk4

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

kamermans

ASKER

Ok - thanks for the info m1tk4 I appreciate it.

-Steve

m1tk4

Bottom line - doesn't look like your client was SPECIFICALLY targeted. Looks like this was just harvesting a vulnerable box to resell to DDoS'ers later.