Security Incidents mailing list archives
Re: another rootkit
From: Michal Zalewski <lcamtuf () bos bindview com>
Date: Sat, 2 Jun 2001 09:52:46 -0400 (EDT)
On Fri, 1 Jun 2001, Alvin Oga wrote:
just was curious why i couldnt find any references on any of the "unique" keywords ( maniac-Rk, grabb, ipz.gz ...
I haven't seen it anywhere else, but it seems to be built using publicly available, common stuff...
-rwxr-xr-x 1 root root 5043 Mar 23 07:18 addlen*
This is a program to pad replaced file with zeros to match its original size.
-rw-r--r-- 1 root root 5744 May 31 10:10 adore.o -rwxr-xr-x 1 root root 14248 May 31 10:10 ava*
That is pretty popular kernel-level backdoor, designed by stealth (to parts, kernel-space and user-space).
-rwxr-xr-x 1 root root 1080 Mar 23 07:48 clear_logs*
Hard to identify - pretty small, probably invokes vanish2 (is it a shell script?).
-rwxr-xr-x 1 root root 7985 Mar 23 07:38 fix*
This one is used to fix checksums of files (not md5 digests ;).
-rwxr-xr-x 1 root root 10171 May 4 12:39 grabbb.gz*
That would be a banner scanner, publicly available.
-rwxr-xr-x 1 root root 5220 Jun 1 18:53 install.sh*
...and this script would invoke 'addlen' and 'fix' ;)
-rwxr-xr-x 1 root root 4734 May 8 10:04 ipz.gz*
/* members.xoom.com/i0wnu * IPZ by Mixter (c) 1999 * Generates IP Addresses for Class A/B/C SubNets * in non-sequential order (for unnoticed scanning). */
-rwxr-xr-x 1 root root 10496 Mar 23 07:48 pine.out*
(unidentified, probably worth a look)
-rwxr-xr-x 1 root root 9070 May 4 11:55 slice*
This seems to be one of DDoS attack proggies.
-rwxr-xr-x 1 root root 15335 May 31 09:58 ping*
Well, that would be standard ping utility, I presume, carried for some reason.
-rw-r--r-- 1 root root 19700 Jun 1 18:03 snifflog ---s--s--x 1 root root 11869 Apr 4 19:10 sush*
This one is pretty interesting. I know only a few exploits that use this name: - suidperl - old crontab exploit - Linux 2.2 capabilities exploit But last two uses /tmp, not current directory, for creating 'sush'.
-rwxr-xr-x 1 root root 12405 May 31 09:38 vanish2.gz*
And that would be another log cleaner.
-rwxr-xr-x 1 root root 58068 May 19 06:58 wget.gz* -rwxr-xr-x 1 root root 20445 Apr 2 12:24 bnc.gz* -rwxr-xr-x 1 root root 14319 May 31 10:05 tty*
These proggies seems to be not harmful. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
Current thread:
- another rootkit Alvin Oga (Jun 02)
- Re: another rootkit Michal Zalewski (Jun 03)
- Re: another rootkit Alvin Oga (Jun 03)
- Re: another rootkit - one more file Alvin Oga (Jun 03)
- Re: another rootkit Alvin Oga (Jun 03)
- Re: another rootkit Michal Zalewski (Jun 03)