• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1083
  • Last Modified:

Looking for info on a hacker who didn't cover his tracks

I had an unnamed client that was attacked a while back and it's still bothering me.  Before I formatted the HDD and reinstalled Linux I was able to get the following 9 recent commands from .bash_history and list all the files he installed.  Does anybody know if this was a packged exploit / script kiddy special?  I personally haven't found much info on this software - and I am quite experienced with Linux Network Security.  Thanks in advance for your input!

    1  rm -rf /var/log/*
    2  rm -rf .bash_history
    3  cd /var/rlk/dos
    4  ./vadimI 213.25.210.180 6667 yachoo.com
    5  w
    6  ./vadimI 213.25.210.180 6667 yachoo.com
    7  cd /var/rlk/dos
    8  ls
    9  ./vadimI 213.25.210.180 6667 yachoo.com

total 792
drwxr-xr-x   5 root     root         4096 Oct  6 17:01 .
drwxr-xr-x  23 root     root         4096 Oct  6 16:52 ..
drwxr-xr-x   2 root     root         4096 Oct 31  2000 dos
-rw-r--r--   1 root     root       418894 Sep 19 01:36 psotnic-static.tar.gz
-rw-r--r--   1 root     root       200198 Sep 19 01:36 psotnic.tar.gz
-rw-r--r--   1 root     root        21638 May 29  2004 smeh.tar.gz
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 x2k3
-rw-r--r--   1 root     root        58638 Jul 26 00:34 x2k3.tar.gz
drwx------   2 666      wheel        4096 Oct  6 16:57 xmen
-rw-r--r--   1 root     root        62485 Jul 24 16:27 xmen2.tar.gz

dos:
total 96
drwxr-xr-x   2 root     root         4096 Oct 31  2000 .
drwxr-xr-x   5 root     root         4096 Oct  6 17:01 ..
-rw-r--r--   1 512      512         31909 Oct 31  2000 broadcast.txt
-rw-r--r--   1 root     root         2885 Sep 24  2000 madscan.c
-rwxr-xr-x   1 root     root         8268 Aug 18  2000 slice2
-rw-r--r--   1 root     root        19008 Sep 24  2000 smurf6-linux+LPG.c
-rwxr-xr-x   1 root     root        13687 Aug 18  2000 vadimI
-rwxr-xr-x   1 root     root         2635 Aug 18  2000 vadimI.c

x2k3:
total 40
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 .
drwxr-xr-x   5 root     root         4096 Oct  6 17:01 ..
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 bind
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 ftp
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 gkr
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 identd
-rwxr-xr-x   1 1258     104         11618 Jul  2  2003 r00t
lrwxrwxrwx   1 root     root            4 Oct  6 17:01 rlk -> r00t
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 samba

x2k3/bind:
total 56
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 .
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 ..
-rwxr-xr-x   1 1258     104         19883 Jun 28  2003 bind9
-rwxr-xr-x   1 1258     104         14370 Jul  1  2003 mass_bind
-rwxr-xr-x   1 1258     104         10309 Jul  1  2003 trybind

x2k3/ftp:
total 72
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 .
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 ..
-rwxr-xr-x   1 1258     104         33253 Jul  1  2003 7350wurm2
-rwxr-xr-x   1 1258     104         14369 Jul  1  2003 mass_ftp
-rwxr-xr-x   1 1258     104         10428 Jul  1  2003 tryftp

x2k3/gkr:
total 52
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 .
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 ..
-rwxr-xr-x   1 1258     104         14253 Jul  1  2003 gkr
-rwxr-xr-x   1 1258     104         14371 Jul  1  2003 mass_gkr
-rwxr-xr-x   1 1258     104         10516 Jul  1  2003 trygkr

x2k3/identd:
total 52
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 .
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 ..
-rwxr-xr-x   1 1258     104         14051 Jul  2  2003 identd12
-rwxr-xr-x   1 1258     104         14371 Jul  2  2003 mass_ident
-rwxr-xr-x   1 1258     104         10462 Jul  2  2003 tryident

x2k3/samba:
total 68
drwxr-xr-x   2 1258     104          4096 Jul  3  2003 .
drwxr-xr-x   7 1258     104          4096 Oct  6 17:01 ..
-rwxr-xr-x   1 1258     104         14371 Jul  1  2003 mass_samba
-rwxr-xr-x   1 1258     104         29516 Jun 27  2003 sambal
-rwxr-xr-x   1 1258     104         10326 Jul  1  2003 trysamba

xmen:
total 1436
drwx------   2 666      wheel        4096 Oct  6 16:57 .
drwxr-xr-x   5 root     root         4096 Oct  6 17:01 ..
-rw-------   1 666      wheel       10510 Aug  7  2003 HOWTO
-rw-------   1 666      wheel        1380 Aug  7  2003 LICENSE
-rw-------   1 666      wheel         244 Aug  7  2003 Makefile
-rw-------   1 666      wheel         573 Aug  7  2003 README
-rw-------   1 666      wheel          27 Aug  7  2003 TODO
-rw-------   1 666      wheel       11322 Aug  7  2003 action.c
-rw-------   1 666      wheel         287 Aug 31  2002 action.h
-rw-r--r--   1 root     root         7184 Oct  6 16:57 action.o
-rw-------   1 666      wheel        8059 Aug  7  2003 clones.c
-rw-------   1 666      wheel         817 Sep 10  2002 clones.h
-rw-r--r--   1 root     root        10828 Oct  6 16:57 clones.o
-rw-------   1 666      wheel       67133 Aug  7  2003 command.c
-rw-------   1 666      wheel        1916 Aug  7  2003 command.h
-rw-r--r--   1 root     root       103476 Oct  6 16:57 command.o
-rw-------   1 666      wheel        2678 Aug 31  2002 defs.h
-rw-------   1 666      wheel         709 Oct 29  2002 hide.info
-rw-------   1 666      wheel        1473 Aug 31  2002 hide.realnames
-rw-------   1 666      wheel        2754 Aug 31  2002 hide.reasons
-rw-------   1 666      wheel       20569 Aug  7  2003 irc.c
-rw-------   1 666      wheel        2961 Sep  1  2002 irc.h
-rw-r--r--   1 root     root        14680 Oct  6 16:57 irc.o
-rw-------   1 666      wheel       16625 Aug  7  2003 main.c
-rw-------   1 666      wheel        1667 Sep  1  2002 main.h
-rw-r--r--   1 root     root        17012 Oct  6 16:57 main.o
-rw-------   1 666      wheel       38233 Aug  7  2003 parse.c
-rw-------   1 666      wheel         204 Aug 31  2002 parse.h
-rw-r--r--   1 root     root        47176 Oct  6 16:57 parse.o
-rwxr-xr-x   1 root     root       119128 Oct  6 16:57 xmen
-rw-------   1 666      wheel      831728 Nov  4  2002 xmen.debug
-rw-------   1 666      wheel         396 Oct 29  2002 xmen.info
-rw-------   1 666      wheel        1824 Aug  7  2003 xmen.logo-harhar
-rw-------   1 666      wheel         942 Aug 31  2002 xmen.nicks
-rw-------   1 666      wheel         647 Aug 31  2002 xmen.realnames
-rw-------   1 666      wheel         872 Aug 31  2002 xmen.reasons
-rw-------   1 666      wheel        4206 Aug  7  2003 xor.c
0
kamermans
Asked:
kamermans
  • 3
  • 2
1 Solution
 
m1tk4Commented:
vadimI is a network flooder used for DDoS attacks. The rootkit they used is called x2k3. Google it up - ExEx is not a good place to place links to h4x0r sites;)

0
 
kamermansAuthor Commented:
Good point about the links - I'm not really looking for links anyway.  After some questionable searching ( :D ) I was able to download x2k3, xmen2, psotnic and a DoS util similar to the one found in 'dos'.  Any idea what smeh is?  I am interested in this because this client is of importance to the DoD.
0
 
m1tk4Commented:
"Smeh" means "laughter" in most Slavic languages, that's why it's not easy to google up. If you google it up as a tarball name you'll just see one cached page from Poland (pl) - it's another remote exploit if I remember it right. 213.25.210.128 is in Warszawa, Poland as well, by the way.

Basically whoever broke in was using the box as a platform to own other boxes, and later on just run vadimI to connect the box to an IRC server running in Poland - that's the way DDoS "zombies" are typically managed.
0
 
kamermansAuthor Commented:
Ok - thanks for the info m1tk4  I appreciate it.

-Steve
0
 
m1tk4Commented:
Bottom line - doesn't look like your client was SPECIFICALLY targeted. Looks like this was just harvesting a vulnerable box to resell to DDoS'ers later.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now