linux trojan

Written by jlgaddis on January 11, 2006 – 1:45 am -

Recently, one of the customers of my consulting company told me that they had been the victim of a DoS attack. After talking to him a bit more, I was told that BellSouth said that there was a host on their network that was sending out massive amounts of data.

After logging into the host, an old Red Hat Linux 9 box, and doing a short bit of preliminary diagnostics, I discovered that there was an application running from user nobody’s crontab.

At 24 minutes after every hour, the cron entry would run. The command was one that caused an executable file to be written to the /tmp folder, then executed. The executable was a “zombie”, pretty much. I grabbed the executable and transferred it to my local network and did a quick glance over it. Since the host was going to be reinstalled anyways, my customer wasn’t interested in having any real work performed on it.

evilrabbi and Assen Totin replied to a posting of mine about the “bot” to the full-disclosure list with some more information on the trojan.

The “bot” connects to a password-protected IRC server on port 3434 of IP address 64.239.9.236 with a password of “f9dsa”. It uses a username of “mbopaidgb” and an IRC “nickname” of “cmktvjopr”. The bot will wait for commands from its “master” and, apparently, has the ability to perform a DoS attack on command.

Here’s my original post:

After having a customer report that he had large amounts of outbound traffic from one of his Linux servers, I began to investigate and found a trojan.

The trojan had created a crontab for the “nobody” user (Apache was running as nobody and, while I did not take the time to verify I believe that Apache was probably the way the intruder got in) which, at 24 minutes after the hour, would write itself out to /tmp/ummtodkhk and then execute itself.

The /tmp/ummtodkhk file was packed with UPX. It has been unpacked and made available at http://www.jeremygaddis.com/files/ummtodkhk. It was submitted to VirusTotal, but nothing identified as anything known.

The results of crontab -l -u nobody >> nobody.cron are available at http://www.jeremygaddis.com/files/nobody.cron.

The files have been moved from the original location, but are now available at:

Share and Enjoy:
  • StumbleUpon
  • Digg
  • Reddit
  • Facebook
  • del.icio.us
  • Twitter

Tags: , | No Comments »

Leave a Comment