Re: any1 stumbled across eCkit ?

[Patrick van Zweden <patrick () vanzweden nl eu org>]

At 16:40 26-11-2001 -0500, you wrote:
>   Can you tell us more about what programs were altered and
> what directories you found the rootkit in?

Sure.

They tried to alter ps, dir, top, slocate, lsof, ifconfig, netstat, md5sum,
pstree, sylogd, in.fingerd, ls and installed a trojaned ssh. Most
modifucations failed due the immutable bit which is set on most important
binaries. Also xntps was installed which is a trojaned ssh deamon. The
xntps read it's config file from /lib/lblip.tk and listened on the port 48883.
Also installed (but not used on my system) were libproc.a and libproc.so
version 2.0.6. I guess they are installed to hide some process.

In /lib/ldd.so/ i found the patch script and a file called td. Strings
revealed that it is some kind of testing program but i don't know for sure. 

Well, that's it so far. I'm currently looking for more suspicious things.
Luckily they installed programs which require glibc, which doesn't exists
on the system. So searching for the string GLIBC reveals a lot.

If you like i can send you the whole stuff i've found so far.

Greetings,

Patrick van Zweden
-- 
"Warning: you are logged into reality as root..."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com