[ Thanks to Noel
for this link. ]
“I reviewed my sniffer logs and found that the cracker has
logged into an account that I had not seen him use before. Once
connected he used a backdoor in pine to escape from the menuing
software and run a korn shell. He then changed his directory to a
third user’s home directory that had never had a connection to the
cracker and then into a directory named … (three dots). Inside
that directory he did a ls -l showing a file owned by root that was
around 800 MB which he compressed down to about 300 MB using gzip.
He then transfered the file transfer tool that we had seen him use
a few times to his shell…”
“So the mystery was, what is the file that he transfered with
his transfer tool? I could see from our sniffer log that the file
had been recreated and continued to grow after he had gziped it. He
was running some software as root that was writing to this file
from one of our machines! … I had begun to suspect that what I
had found was a sniffer that the cracker was running to capture
logins and passwords on our system and on other systems that our
users connected to. Running a utility to check the network card
showed that it was in promiscuous mode. The ifconfig utility
reported that it was not and this told me that he had replaced the
system ifconfig command with a rootkit version that lied to us
about the promiscuous status of our network interface. So he was
running a sniffer on our system.”
“We had thousands of logins each day from a large selection
of places all over the world. Many of these users then connected to
other systems using telnet or FTP. Each time one of our users
connected to a system somewhere else the cracker had a new door
that he could open. A new system that he could crack or just use to
store things. To run his port redirector all he needed was a
regular user account on a machine and then he had a new system to
cover his tracks with.”