Security Incidents mailing list archives
charbd rootkit ( Re: spanish rootkit)
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Fri, 22 Sep 2000 14:46:16 +0200
Hello all, I researched it a bit - looks like a combination of some old and new tools... This kit mixes use of kernel module (adore) for hiding processes with old good trojaned ifconfig (hide promisc flag) and netstat (hide processes/connections by contents of /dev/ptyq) also includes some simple backdoors (src is in file "pb") which execute xterm upon commection (the password they chose is absolutely unprononceable - you'll see it if you run strings on files) it also trojans in.pop3d, tcpd, login with password "p3dr0*2k" and _maybe_ does something more with ifconfig because when i ran it, first time that new ifconfig started rather slow :) also installs some (icmp-based) trojan server (file "server") - password probably is "ph33rph33rph33r" - it is old stuff, sources that I have found somewhere :) are dated end of 1998 (by "chrak") - it executes a command which it receives in data field of icmp packet. also includes linsniffer (of course :) ) If you want to see chrak - he's at http://b4b0.org/chrak/ those who are interested can take a kit from www.angelfire.com/linux/witt/charbd.gz regards, W.
Current thread:
- spanish rootkit Vitaly Osipov (Sep 20)
- Re: spanish rootkit Elias Levy (Sep 20)
- Re: spanish rootkit typo (Sep 21)
- charbd rootkit ( Re: spanish rootkit) Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: spanish rootkit John Yang (Sep 21)
- Re: spanish rootkit Martins, Fernando (Lisbon) (Sep 22)