Security Incidents mailing list archives
Anyone know this rootkit (rootkits?)
From: Steve Bougerolle <steveb () creek-and-cowley com>
Date: 25 Jul 2002 23:26:27 +0800
I was trying to fix up a crashed Red Hat linux 7.2 server for a client today, and after a bit of fiddling discovered what looks pretty clearly like a rootkit. It had files stored in /dev/\ \ \ , modified a bunch of binaries including su, netstat, ls, ps, and ifconfig, and installed some sort of sshd trojan in a whole bunch of places. Sound familiar to anyone? (ie, who knows where I can learn more about it?) While cleaning up the mess with that, things still weren't working so I looked farther and discovered ANOTHER bunch of covert directories, called /dev/.id, /dev/.sh and /dev/.so (IIRC). These were linked to an entry in the rc.local boot script which powered up something in /dev/.id (didn't have time to note the details yet, sorry). Anyone hear of these? Is this one rootkit or more than one? -- Steve Bougerolle Creek & Cowley Consulting http://www.creek-and-cowley.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Anyone know this rootkit (rootkits?) Steve Bougerolle (Jul 25)
- Re: Anyone know this rootkit (rootkits?) SilentCreek (Jul 25)
- Re: Anyone know this rootkit (rootkits?) Anton A. Chuvakin (Jul 26)
- Re: Anyone know this rootkit (rootkits?) (details and files attached) Steve Bougerolle (Jul 26)