Re: spanish rootkit

["Martins, Fernando (Lisbon)" <FMartins () PT IMSHEALTH COM>]

Actually is brazilian, not portuguese. We dont say: "Agora irei rodar o
sniffer ebaaaaaa! ;)" ... this and all other comments are tipical brazilian
=)
And if it was rooted from Greece, some brazilians like to have shell acounts
there. So, all points to Brazil, IMHO.

'Esse script vai ver se está tudo no local correto e fazer de vc o mais l33t
possivel ;)'
This script will check if evething is in the proper place and makes you as
slow as possible

"/usr/bin/make encontrado"
/usr/bin/make was found

"Nãaaao! /usr/bin/make nao encontrado vc tera q compilar o adore em outra
makina e em seguida enviar para o diretorio :("
Noooo! /usr/bin/make was not found you will have to compile the adore in
other box and then send to the directory

"sniffer encontrado continuando..."
sniffer found continuing

"Não encontrei sniffer (linsniffer) tenha certeza q ele está no diretorio
/usr/share/.../"
Did not found the sniffer be sure it is in directory /usr/share

"Agora irei rodar o sniffer ebaaaaaa! ;)"
Now i'll run the sniffer yeahhhhh

"Agora irei esconder o processo do sniffer 31337"
Now i'll hide the process of the sniffer 31337

"Não encontrei pidof usarei o metodo do ps mesmo ;)"
Didn't found pidof i'll use the ps metod

"Rodando agora as backdoors..."
Running now the backdoors

"Não encontrei charbd tenha certeza q ele está no diretorio /usr/share/.../"
Didn't found charbd be sure it is in the directory /usr/share

"Agora irei esconder as backdoors uhuh ;)"
Now i'll hide the backdoors

"Agora irei checar se a box roda pop3 para backdoriza-la ;) r0x"
Now i'll check if the box runs pop3 for be trojaned

"Veja aki se ele está rodando se tiver um # na frente significa q ele está
desabilitado"
See here if it is running if it have a # in the front means that it is
turned off

"No diretorio:"
In the directory

"Agora o vou testar o netstat hehehe vamos trojana-lo ;)"
Now i'll test netstat hehehe lets trojan it

"netstat encontrado aguarde fazendo as falcatruas ;)"
netstat found wait while the tricks are being done

"Escondendo as conexoes no netstat trojanado"
Hiding connections of netstat trojaned

"Eh meio impossivel, mas parece q o netstat nao esta no dir /bin/"
It's half impossible, but it seems like netstat is not in the directory /bin

"bd de pop3 colocada"
bd of pop3 placed (bd usually is an abreviation of database)

"Colocando bd de tcpd"
Placing bd of tcpd

"Backdoor Colocada"
Bacldoor placed

"Colocando bd de ifconfig"
Placing bd of ifconfig

"Agora irei colocar a bd de icmp"
Now i'll place the bd of icmp

"Digite a porta q deseja:"
Type the port you wich

"Colocando login backdoor"
Placing login backdoor

chmod +x joao;
cp -f joao /bin/login;
rm -rf joao;
'joao' it is the same as John (like John Smith, can be anybody)

"h0h0h0h0h0 agora vo compilar o rescue.c o mais l33t0 possivel"
now i'll compile the rescue.c the slowest way possible

"/etc/rc.d/rc.local encontrado ... h0h0h0"
                          founded

"Caso vc decida botar pra inicializar mais l1t0 q isso existem 1 backup de
tudo no /usr/share/.../ ;)"
In the case you wich run slower then that (in the case l1t0 and l33t0 means
slow, so he cant even talk the right h4x0r ... a mess, like the all script)

"Não encontrei /etc/rc.d/rc.local :(("
Didn't found ...

I hope this helps.

Kind Regards,
Fernando Martins