Security Incidents mailing list archives
Re: New maniac rootkit
From: Daniel Martin <dtmartin24 () home com>
Date: 21 Jun 2001 15:15:43 -0400
Many people have already identified bits, so I'll just comment on this piece: Andrew Heath <ah228 () cornell edu> writes:
in /dev/ptyxx/.proc (runlevels?) 2 eggdrop 3 maniac 2 slice 2 pine.out 2 PHoss 2 targa3 3 bnc 2 httpd 3 grabbb 3 pt07 3 mailrc 2 sh
This file format matches the file format of many common trojaned ps and ls programs - it's a list of processes and/or files to hide (I think that the initial number identifies whether this is the name of a process to hide or a file, but I can't remember). You might try the following two commands on the trojaned box: ls /bin/sh echo 'ps $$' | sh | grep sh I'm willing to bet that one or the other of those commands will show nothing, and indication that sh is being hidden from either ls or ps. You could also, I suppose, do a mv /dev/ptyxx /dev/ptyxx.old and see if suddenly things look different when you do a ps or ls on the infected box. (I say move the directory because there may be other, possibly hidden, rootkit config. files therein)
Current thread:
- New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
- Re: New maniac rootkit Aropalo Tommi (Jun 22)