Security Incidents mailing list archives
Re: any1 stumbled across eCkit ?
From: Patrick van Zweden <patrick () vanzweden nl eu org>
Date: Mon, 26 Nov 2001 23:18:58 +0100
At 16:40 26-11-2001 -0500, you wrote:
Can you tell us more about what programs were altered and what directories you found the rootkit in?
Sure. They tried to alter ps, dir, top, slocate, lsof, ifconfig, netstat, md5sum, pstree, sylogd, in.fingerd, ls and installed a trojaned ssh. Most modifucations failed due the immutable bit which is set on most important binaries. Also xntps was installed which is a trojaned ssh deamon. The xntps read it's config file from /lib/lblip.tk and listened on the port 48883. Also installed (but not used on my system) were libproc.a and libproc.so version 2.0.6. I guess they are installed to hide some process. In /lib/ldd.so/ i found the patch script and a file called td. Strings revealed that it is some kind of testing program but i don't know for sure. Well, that's it so far. I'm currently looking for more suspicious things. Luckily they installed programs which require glibc, which doesn't exists on the system. So searching for the string GLIBC reveals a lot. If you like i can send you the whole stuff i've found so far. Greetings, Patrick van Zweden -- "Warning: you are logged into reality as root..." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Ian Jones (Nov 26)
- <Possible follow-ups>
- any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Fredrik Ostergren (Nov 29)
- RE: any1 stumbled across eCkit ? Ryan Sweat (Nov 29)