Security Incidents mailing list archives
Re: another rootkit - one more file
From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>
Date: Sun, 3 Jun 2001 04:43:21 -0700 (PDT)
hi ya for those of you looking at this stuff,... i missed one file .... that tripwire found ...that i skipped over -rwxr-xr-x 1 root root 14443 May 31 09:54 /usr/lib/pt07* thanx alvin http://www.Linux-Sec.net
On Sat, 2 Jun 2001, Michal Zalewski wrote:On Fri, 1 Jun 2001, Alvin Oga wrote:just was curious why i couldnt find any references on any of the "unique" keywords ( maniac-Rk, grabb, ipz.gz ...I haven't seen it anywhere else, but it seems to be built using publicly available, common stuff...-rwxr-xr-x 1 root root 5043 Mar 23 07:18 addlen*This is a program to pad replaced file with zeros to match its original size.-rw-r--r-- 1 root root 5744 May 31 10:10 adore.o -rwxr-xr-x 1 root root 14248 May 31 10:10 ava*That is pretty popular kernel-level backdoor, designed by stealth (to parts, kernel-space and user-space).-rwxr-xr-x 1 root root 1080 Mar 23 07:48 clear_logs*Hard to identify - pretty small, probably invokes vanish2 (is it a shell script?).-rwxr-xr-x 1 root root 7985 Mar 23 07:38 fix*This one is used to fix checksums of files (not md5 digests ;).-rwxr-xr-x 1 root root 10171 May 4 12:39 grabbb.gz*That would be a banner scanner, publicly available.-rwxr-xr-x 1 root root 5220 Jun 1 18:53 install.sh*...and this script would invoke 'addlen' and 'fix' ;)-rwxr-xr-x 1 root root 4734 May 8 10:04 ipz.gz*/* members.xoom.com/i0wnu * IPZ by Mixter (c) 1999 * Generates IP Addresses for Class A/B/C SubNets * in non-sequential order (for unnoticed scanning). */-rwxr-xr-x 1 root root 10496 Mar 23 07:48 pine.out*(unidentified, probably worth a look)-rwxr-xr-x 1 root root 9070 May 4 11:55 slice*This seems to be one of DDoS attack proggies.-rwxr-xr-x 1 root root 15335 May 31 09:58 ping*Well, that would be standard ping utility, I presume, carried for some reason.-rw-r--r-- 1 root root 19700 Jun 1 18:03 snifflog ---s--s--x 1 root root 11869 Apr 4 19:10 sush*This one is pretty interesting. I know only a few exploits that use this name: - suidperl - old crontab exploit - Linux 2.2 capabilities exploit But last two uses /tmp, not current directory, for creating 'sush'.-rwxr-xr-x 1 root root 12405 May 31 09:38 vanish2.gz*And that would be another log cleaner.-rwxr-xr-x 1 root root 58068 May 19 06:58 wget.gz* -rwxr-xr-x 1 root root 20445 Apr 2 12:24 bnc.gz* -rwxr-xr-x 1 root root 14319 May 31 10:05 tty*These proggies seems to be not harmful. -- _____________________________________________________ Michal Zalewski [lcamtuf () bos bindview com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-=
Current thread:
- another rootkit Alvin Oga (Jun 02)
- Re: another rootkit Michal Zalewski (Jun 03)
- Re: another rootkit Alvin Oga (Jun 03)
- Re: another rootkit - one more file Alvin Oga (Jun 03)
- Re: another rootkit Alvin Oga (Jun 03)
- Re: another rootkit Michal Zalewski (Jun 03)