kamermans
asked on
Looking for info on a hacker who didn't cover his tracks
I had an unnamed client that was attacked a while back and it's still bothering me. Before I formatted the HDD and reinstalled Linux I was able to get the following 9 recent commands from .bash_history and list all the files he installed. Does anybody know if this was a packged exploit / script kiddy special? I personally haven't found much info on this software - and I am quite experienced with Linux Network Security. Thanks in advance for your input!
1 rm -rf /var/log/*
2 rm -rf .bash_history
3 cd /var/rlk/dos
4 ./vadimI 213.25.210.180 6667 yachoo.com
5 w
6 ./vadimI 213.25.210.180 6667 yachoo.com
7 cd /var/rlk/dos
8 ls
9 ./vadimI 213.25.210.180 6667 yachoo.com
total 792
drwxr-xr-x 5 root root 4096 Oct 6 17:01 .
drwxr-xr-x 23 root root 4096 Oct 6 16:52 ..
drwxr-xr-x 2 root root 4096 Oct 31 2000 dos
-rw-r--r-- 1 root root 418894 Sep 19 01:36 psotnic-static.tar.gz
-rw-r--r-- 1 root root 200198 Sep 19 01:36 psotnic.tar.gz
-rw-r--r-- 1 root root 21638 May 29 2004 smeh.tar.gz
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 x2k3
-rw-r--r-- 1 root root 58638 Jul 26 00:34 x2k3.tar.gz
drwx------ 2 666 wheel 4096 Oct 6 16:57 xmen
-rw-r--r-- 1 root root 62485 Jul 24 16:27 xmen2.tar.gz
dos:
total 96
drwxr-xr-x 2 root root 4096 Oct 31 2000 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw-r--r-- 1 512 512 31909 Oct 31 2000 broadcast.txt
-rw-r--r-- 1 root root 2885 Sep 24 2000 madscan.c
-rwxr-xr-x 1 root root 8268 Aug 18 2000 slice2
-rw-r--r-- 1 root root 19008 Sep 24 2000 smurf6-linux+LPG.c
-rwxr-xr-x 1 root root 13687 Aug 18 2000 vadimI
-rwxr-xr-x 1 root root 2635 Aug 18 2000 vadimI.c
x2k3:
total 40
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 bind
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 ftp
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 gkr
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 identd
-rwxr-xr-x 1 1258 104 11618 Jul 2 2003 r00t
lrwxrwxrwx 1 root root 4 Oct 6 17:01 rlk -> r00t
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 samba
x2k3/bind:
total 56
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 19883 Jun 28 2003 bind9
-rwxr-xr-x 1 1258 104 14370 Jul 1 2003 mass_bind
-rwxr-xr-x 1 1258 104 10309 Jul 1 2003 trybind
x2k3/ftp:
total 72
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 33253 Jul 1 2003 7350wurm2
-rwxr-xr-x 1 1258 104 14369 Jul 1 2003 mass_ftp
-rwxr-xr-x 1 1258 104 10428 Jul 1 2003 tryftp
x2k3/gkr:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14253 Jul 1 2003 gkr
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_gkr
-rwxr-xr-x 1 1258 104 10516 Jul 1 2003 trygkr
x2k3/identd:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14051 Jul 2 2003 identd12
-rwxr-xr-x 1 1258 104 14371 Jul 2 2003 mass_ident
-rwxr-xr-x 1 1258 104 10462 Jul 2 2003 tryident
x2k3/samba:
total 68
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_samba
-rwxr-xr-x 1 1258 104 29516 Jun 27 2003 sambal
-rwxr-xr-x 1 1258 104 10326 Jul 1 2003 trysamba
xmen:
total 1436
drwx------ 2 666 wheel 4096 Oct 6 16:57 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw------- 1 666 wheel 10510 Aug 7 2003 HOWTO
-rw------- 1 666 wheel 1380 Aug 7 2003 LICENSE
-rw------- 1 666 wheel 244 Aug 7 2003 Makefile
-rw------- 1 666 wheel 573 Aug 7 2003 README
-rw------- 1 666 wheel 27 Aug 7 2003 TODO
-rw------- 1 666 wheel 11322 Aug 7 2003 action.c
-rw------- 1 666 wheel 287 Aug 31 2002 action.h
-rw-r--r-- 1 root root 7184 Oct 6 16:57 action.o
-rw------- 1 666 wheel 8059 Aug 7 2003 clones.c
-rw------- 1 666 wheel 817 Sep 10 2002 clones.h
-rw-r--r-- 1 root root 10828 Oct 6 16:57 clones.o
-rw------- 1 666 wheel 67133 Aug 7 2003 command.c
-rw------- 1 666 wheel 1916 Aug 7 2003 command.h
-rw-r--r-- 1 root root 103476 Oct 6 16:57 command.o
-rw------- 1 666 wheel 2678 Aug 31 2002 defs.h
-rw------- 1 666 wheel 709 Oct 29 2002 hide.info
-rw------- 1 666 wheel 1473 Aug 31 2002 hide.realnames
-rw------- 1 666 wheel 2754 Aug 31 2002 hide.reasons
-rw------- 1 666 wheel 20569 Aug 7 2003 irc.c
-rw------- 1 666 wheel 2961 Sep 1 2002 irc.h
-rw-r--r-- 1 root root 14680 Oct 6 16:57 irc.o
-rw------- 1 666 wheel 16625 Aug 7 2003 main.c
-rw------- 1 666 wheel 1667 Sep 1 2002 main.h
-rw-r--r-- 1 root root 17012 Oct 6 16:57 main.o
-rw------- 1 666 wheel 38233 Aug 7 2003 parse.c
-rw------- 1 666 wheel 204 Aug 31 2002 parse.h
-rw-r--r-- 1 root root 47176 Oct 6 16:57 parse.o
-rwxr-xr-x 1 root root 119128 Oct 6 16:57 xmen
-rw------- 1 666 wheel 831728 Nov 4 2002 xmen.debug
-rw------- 1 666 wheel 396 Oct 29 2002 xmen.info
-rw------- 1 666 wheel 1824 Aug 7 2003 xmen.logo-harhar
-rw------- 1 666 wheel 942 Aug 31 2002 xmen.nicks
-rw------- 1 666 wheel 647 Aug 31 2002 xmen.realnames
-rw------- 1 666 wheel 872 Aug 31 2002 xmen.reasons
-rw------- 1 666 wheel 4206 Aug 7 2003 xor.c
1 rm -rf /var/log/*
2 rm -rf .bash_history
3 cd /var/rlk/dos
4 ./vadimI 213.25.210.180 6667 yachoo.com
5 w
6 ./vadimI 213.25.210.180 6667 yachoo.com
7 cd /var/rlk/dos
8 ls
9 ./vadimI 213.25.210.180 6667 yachoo.com
total 792
drwxr-xr-x 5 root root 4096 Oct 6 17:01 .
drwxr-xr-x 23 root root 4096 Oct 6 16:52 ..
drwxr-xr-x 2 root root 4096 Oct 31 2000 dos
-rw-r--r-- 1 root root 418894 Sep 19 01:36 psotnic-static.tar.gz
-rw-r--r-- 1 root root 200198 Sep 19 01:36 psotnic.tar.gz
-rw-r--r-- 1 root root 21638 May 29 2004 smeh.tar.gz
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 x2k3
-rw-r--r-- 1 root root 58638 Jul 26 00:34 x2k3.tar.gz
drwx------ 2 666 wheel 4096 Oct 6 16:57 xmen
-rw-r--r-- 1 root root 62485 Jul 24 16:27 xmen2.tar.gz
dos:
total 96
drwxr-xr-x 2 root root 4096 Oct 31 2000 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw-r--r-- 1 512 512 31909 Oct 31 2000 broadcast.txt
-rw-r--r-- 1 root root 2885 Sep 24 2000 madscan.c
-rwxr-xr-x 1 root root 8268 Aug 18 2000 slice2
-rw-r--r-- 1 root root 19008 Sep 24 2000 smurf6-linux+LPG.c
-rwxr-xr-x 1 root root 13687 Aug 18 2000 vadimI
-rwxr-xr-x 1 root root 2635 Aug 18 2000 vadimI.c
x2k3:
total 40
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 bind
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 ftp
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 gkr
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 identd
-rwxr-xr-x 1 1258 104 11618 Jul 2 2003 r00t
lrwxrwxrwx 1 root root 4 Oct 6 17:01 rlk -> r00t
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 samba
x2k3/bind:
total 56
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 19883 Jun 28 2003 bind9
-rwxr-xr-x 1 1258 104 14370 Jul 1 2003 mass_bind
-rwxr-xr-x 1 1258 104 10309 Jul 1 2003 trybind
x2k3/ftp:
total 72
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 33253 Jul 1 2003 7350wurm2
-rwxr-xr-x 1 1258 104 14369 Jul 1 2003 mass_ftp
-rwxr-xr-x 1 1258 104 10428 Jul 1 2003 tryftp
x2k3/gkr:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14253 Jul 1 2003 gkr
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_gkr
-rwxr-xr-x 1 1258 104 10516 Jul 1 2003 trygkr
x2k3/identd:
total 52
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14051 Jul 2 2003 identd12
-rwxr-xr-x 1 1258 104 14371 Jul 2 2003 mass_ident
-rwxr-xr-x 1 1258 104 10462 Jul 2 2003 tryident
x2k3/samba:
total 68
drwxr-xr-x 2 1258 104 4096 Jul 3 2003 .
drwxr-xr-x 7 1258 104 4096 Oct 6 17:01 ..
-rwxr-xr-x 1 1258 104 14371 Jul 1 2003 mass_samba
-rwxr-xr-x 1 1258 104 29516 Jun 27 2003 sambal
-rwxr-xr-x 1 1258 104 10326 Jul 1 2003 trysamba
xmen:
total 1436
drwx------ 2 666 wheel 4096 Oct 6 16:57 .
drwxr-xr-x 5 root root 4096 Oct 6 17:01 ..
-rw------- 1 666 wheel 10510 Aug 7 2003 HOWTO
-rw------- 1 666 wheel 1380 Aug 7 2003 LICENSE
-rw------- 1 666 wheel 244 Aug 7 2003 Makefile
-rw------- 1 666 wheel 573 Aug 7 2003 README
-rw------- 1 666 wheel 27 Aug 7 2003 TODO
-rw------- 1 666 wheel 11322 Aug 7 2003 action.c
-rw------- 1 666 wheel 287 Aug 31 2002 action.h
-rw-r--r-- 1 root root 7184 Oct 6 16:57 action.o
-rw------- 1 666 wheel 8059 Aug 7 2003 clones.c
-rw------- 1 666 wheel 817 Sep 10 2002 clones.h
-rw-r--r-- 1 root root 10828 Oct 6 16:57 clones.o
-rw------- 1 666 wheel 67133 Aug 7 2003 command.c
-rw------- 1 666 wheel 1916 Aug 7 2003 command.h
-rw-r--r-- 1 root root 103476 Oct 6 16:57 command.o
-rw------- 1 666 wheel 2678 Aug 31 2002 defs.h
-rw------- 1 666 wheel 709 Oct 29 2002 hide.info
-rw------- 1 666 wheel 1473 Aug 31 2002 hide.realnames
-rw------- 1 666 wheel 2754 Aug 31 2002 hide.reasons
-rw------- 1 666 wheel 20569 Aug 7 2003 irc.c
-rw------- 1 666 wheel 2961 Sep 1 2002 irc.h
-rw-r--r-- 1 root root 14680 Oct 6 16:57 irc.o
-rw------- 1 666 wheel 16625 Aug 7 2003 main.c
-rw------- 1 666 wheel 1667 Sep 1 2002 main.h
-rw-r--r-- 1 root root 17012 Oct 6 16:57 main.o
-rw------- 1 666 wheel 38233 Aug 7 2003 parse.c
-rw------- 1 666 wheel 204 Aug 31 2002 parse.h
-rw-r--r-- 1 root root 47176 Oct 6 16:57 parse.o
-rwxr-xr-x 1 root root 119128 Oct 6 16:57 xmen
-rw------- 1 666 wheel 831728 Nov 4 2002 xmen.debug
-rw------- 1 666 wheel 396 Oct 29 2002 xmen.info
-rw------- 1 666 wheel 1824 Aug 7 2003 xmen.logo-harhar
-rw------- 1 666 wheel 942 Aug 31 2002 xmen.nicks
-rw------- 1 666 wheel 647 Aug 31 2002 xmen.realnames
-rw------- 1 666 wheel 872 Aug 31 2002 xmen.reasons
-rw------- 1 666 wheel 4206 Aug 7 2003 xor.c
vadimI is a network flooder used for DDoS attacks. The rootkit they used is called x2k3. Google it up - ExEx is not a good place to place links to h4x0r sites;)
ASKER
Good point about the links - I'm not really looking for links anyway. After some questionable searching ( :D ) I was able to download x2k3, xmen2, psotnic and a DoS util similar to the one found in 'dos'. Any idea what smeh is? I am interested in this because this client is of importance to the DoD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok - thanks for the info m1tk4 I appreciate it.
-Steve
-Steve
Bottom line - doesn't look like your client was SPECIFICALLY targeted. Looks like this was just harvesting a vulnerable box to resell to DDoS'ers later.