We're having this problem as well, also on RHEL4. Does anyone have an idea of how their machines were compromised initially? We don't want to open up the same vulnerability again. I've attached the three /bin/mount* files we found on the compromised machine. There were other similarly compromised binaries as well, such as touch, basename and cat.
-Tom

Moderator's note: I have just approved the attachment so it should now be available for downloading. Download it with caution! It is suspected of being malware. --- Perderabo

Attached Files

evil_mount.tar.gz (515.7 KB, 7 views)

Our system are compromised with this rootkit. We followed the recommendation from Hookups and found the mount binary with what looks like a hash string appended to the end. We could not find any infor about this on the internet. If you have any additional information regarding this root kit please let us know. Your help is greatly appreciated.

Daisy

This is not certain to be the same rootkit, this is pretty much standard MO for a rootkit.

This article is helpful on the subject of cleanup and evidence gathering:
http://www.honeynet.org/challenge/re...y/evidence.txt

The posted binary is not the exact same as md5sums do not match. However, the file size is spot on. Also the same characteristics. Namely, the binary looks to be broken, but still loadable by the linux kernel:

---
[badfile@host badfiles]$ readelf -a ./mount
ELF Header:
Magic: 7f 45 4c 46 00 00 00 00 00 00 00 00 00 00 00 00
Class: none
Data: none
Version: 0
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x1df26054
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0

There are no sections in this file.

There are no section groups in this file.

Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x1df26000 0x1df26000 0x8453f 0x13e000 RWE 0x1000

There is no dynamic section in this file.

There are no relocations in this file.

There are no unwind sections in this file.

No version information found in this file.
[badfile@host badfiles]$ objdump -d ./mount
objdump: ./mount: File format not recognized
[badfile@host badfiles]$ file ./mount
mount: ELF invalid class invalid byte order (SYSV)
---

strace as unprivileged user show one system call to 'sysinfo()' with the argument of '0'. It returns an error:

---
[badfile@host evil_mount]$ strace ./mount
execve("./mount", ["./mount"], [/* 22 vars */]) = 0
sysinfo(0) = -1 EFAULT (Bad address)
---

Going to look further into the binary from an analysis workstation I have setup and see if I can get any more information.

Cheers,
Hookups