"Kit", "Kat", and hacked Linux

"Kit", "Kat", and hacked Linux

Post by Eric » Mon, 02 Apr 2001 08:23:37



We went to make a DNS change on our Mandrake Linux box, and found two
new userids: "Kit" and "Kat"

Any clue where they came from, or what to do about it?  
Thanks in advance for any suggestions.

- Eric

 
 
 

"Kit", "Kat", and hacked Linux

Post by Luke Voge » Mon, 02 Apr 2001 09:38:54



> We went to make a DNS change on our Mandrake Linux box, and found two
> new userids: "Kit" and "Kat"

> Any clue where they came from, or what to do about it?
> Thanks in advance for any suggestions.

> - Eric

You may have been compromised if you are unaware of where these came
from.

Go to http://www.chkrootkit.org and down load their forensics program.

If you get suspicious reports, come back and we'll give some more
advice.

--
Regards
Luke
------
On the requirements it said: Windows 98 or better - so I installed Linux
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 

"Kit", "Kat", and hacked Linux

Post by Davi » Mon, 02 Apr 2001 10:26:29



> We went to make a DNS change on our Mandrake Linux box, and found two
> new userids: "Kit" and "Kat"

> Any clue where they came from, or what to do about it?
> Thanks in advance for any suggestions.

> - Eric

Did you upgrade to Bind since some bugs were found and fixed a couple of
months ago?

--
Confucius say: He who play in root, eventually kill tree.
Registered with the Linux Counter.  http://counter.li.org
ID # 123538
Completed more W/U's than 99.140% of seti users. +/- 0.01%

 
 
 

"Kit", "Kat", and hacked Linux

Post by . » Tue, 03 Apr 2001 07:36:26



Quote:> We went to make a DNS change on our Mandrake Linux box, and found two
> new userids: "Kit" and "Kat"

> Any clue where they came from.

No services I know of would insert such users in
/etc/pasword. You almost certainly been have be root
compromised.

An exploit for DNS servers using "bind"  is the most
likely entry point if you haven't patched it in the last month
or two.

Quote:>or what to do about it?

Disconnect from the network ASAP. Chances are a "rootkit"
was installed, replacing many critical binaries such as
ps,who,netstat,login,inetd, ls ..... to help hide activity.

If you had installed and maintained "tripwire" for your
host, you can check the file fingerprints for tampering.

Else reinstall them from RPMS.

There is a handy packages that checks for rootkits
available from www.chkrootkit.org

Either way, disconnect your host. Compromised hosts are almost
always used for breaking into other hosts. Plus it's possible there now is a
sniffer on your LAN, harvesting all clear-text TCP login and
password info (telnet/ftp/rsh/rlogin).

Please keep up on security patches. If BIND was used to get in,
it was *easily preventable*, a patch has been available for over
two months.

 
 
 

"Kit", "Kat", and hacked Linux

Post by Eric » Tue, 03 Apr 2001 11:14:10





>> We went to make a DNS change on our Mandrake Linux box, and found two
>> new userids: "Kit" and "Kat"

>> Any clue where they came from.

>No services I know of would insert such users in
>/etc/pasword. You almost certainly been have be root
>compromised.

>An exploit for DNS servers using "bind"  is the most
>likely entry point if you haven't patched it in the last month
>or two.

>>or what to do about it?

>Disconnect from the network ASAP. Chances are a "rootkit"
>was installed, replacing many critical binaries such as
>ps,who,netstat,login,inetd, ls ..... to help hide activity.

>If you had installed and maintained "tripwire" for your
>host, you can check the file fingerprints for tampering.

>Else reinstall them from RPMS.

>There is a handy packages that checks for rootkits
>available from www.chkrootkit.org

>Either way, disconnect your host. Compromised hosts are almost
>always used for breaking into other hosts. Plus it's possible there now is a
>sniffer on your LAN, harvesting all clear-text TCP login and
>password info (telnet/ftp/rsh/rlogin).

>Please keep up on security patches. If BIND was used to get in,
>it was *easily preventable*, a patch has been available for over
>two months.

Thanks for the advice and pointers.  I believe we did apply the patch
for the recently announced Bind exploit, so I'm thinking that either
it was misapplied, or another exploit was used.  It will take a little
more time for us to determine what exposure led to the trouble.

- Eric

 
 
 

"Kit", "Kat", and hacked Linux

Post by Michael Erskin » Wed, 04 Apr 2001 11:31:45


Kit & Kat, of Matrix fame?  Remember?
Your fscked, your really fscked, well.... anyway.

Not good.
-m-


> We went to make a DNS change on our Mandrake Linux box, and found two
> new userids: "Kit" and "Kat"

> Any clue where they came from, or what to do about it?
> Thanks in advance for any suggestions.

> - Eric