Re: Linux box 'infected' with RK15

["Miller, Toby" <ToMiller () USAID GOV>]

How did the "bad guys" get in. If it was t666 you would see a directory
called /var/named/ADMROCKS? Also, a tool you might want to check out is
chkrootkit it can be found at www.chkrootkit.org
                                                                        Toby

-----Original Message-----
From: Sean Kelly [mailto:lists () SHORTESTPATH ORG]
Sent: Tuesday, March 20, 2001 5:52 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Linux box 'infected' with RK15


Hello,

  I'm new to this list so please correct me if I step out line here :)

  I have just been handed a Linux web server at my new work place which
appears to have been 'infected' with something called RK15 (Rootkit15, I
believe).  I'm pretty sure I know *how* they got in, but I'm more
interested in *what* this RK15 does.

  I have the install script which installs precompiled binaries of
utilities like ifconfig, top, ps, login - the usual for rootkits (it seems
to mention some actual exploit binaries [t666, wu-exploit] but these are
not on the system.

  There also appears to be a 'new' service listening on a TCP port which,
when opened with telnet, returns a non-sensical string of about 8
characters and seems to be prompting for a response (sorry for the
vagueness - I'm writing this from memory at the moment).

  Does anyone have any knowledge of this rootkit, or have any comments on
the above?

  Thanks,

--
Sean Kelly <lists () shortestpath org>