[Intrusions] brightstor/arcserve backup client hacked
Andrew Daviel
andrew at andrew.triumf.ca
Tue Mar 1 19:05:26 GMT 2005
As 3 people have asked me for capture files,
I have placed a tcpdump capture file with 2 targets
on http://andrew.triumf.ca/arckit/
together with some rootkit files
The capture is only 300 bytes/packet as I recall
We had I think 23 targets so there's more data available if required.
If the rootkit server's still up it's possible to login using the
info from the capture. I did email the webmaster (virtual university in
Czeck republic).
Later investigation found an ftp server running on port 187 (one of the
cloaked ports) and the attacker later logged in on this and ran some
bandwidth tests. I presume that the intent was to store pirated media.
Our PC guys are running around with a program called "RootKitRevealer"
patching the infected systems from a rescue disk. Meanwhile we blocked
port 187 and also the original ARCserve port 41523 pending an update of
the backup client.
Just trying to think if 41523 might be used as a legitimate inbound port
for http requests, ftp, NFS etc. Maybe. Linux kernel seems to use
local ports between 1024 & 4999 but a comment says
"For high-usage systems, use sysctl to change this to 32768-61000".
Which I presume is legal, so maybe we don't want to statically block
41523 at the router indefinitely ... My tcp's rusty - if
a packet fails on one port will it be retried on another port or the same
one ?
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
More information about the Intrusions
mailing list