Security Incidents mailing list archives

Anyone know this rootkit (rootkits?)

From: Steve Bougerolle <steveb () creek-and-cowley com>
Date: 25 Jul 2002 23:26:27 +0800

I was trying to fix up a crashed Red Hat linux 7.2 server for a client today, and
after a bit of fiddling discovered what looks pretty clearly like a
rootkit.  It had files stored in /dev/\ \ \ , modified a bunch of
binaries including su, netstat, ls, ps, and ifconfig, and installed some
sort of sshd trojan in a whole bunch of places.  Sound familiar to
anyone?  (ie, who knows where I can learn more about it?)

While cleaning up the mess with that, things still weren't working so I
looked farther and discovered ANOTHER bunch of covert directories,
called /dev/.id, /dev/.sh and /dev/.so (IIRC).  These were linked to an
entry in the rc.local boot script which powered up something in /dev/.id
(didn't have time to note the details yet, sorry).

Anyone hear of these?  Is this one rootkit or more than one?

-- 
Steve Bougerolle
Creek & Cowley Consulting

http://www.creek-and-cowley.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Anyone know this rootkit (rootkits?) Steve Bougerolle (Jul 25)
- Re: Anyone know this rootkit (rootkits?) SilentCreek (Jul 25)
- Re: Anyone know this rootkit (rootkits?) Anton A. Chuvakin (Jul 26)
- Re: Anyone know this rootkit (rootkits?) (details and files attached) Steve Bougerolle (Jul 26)
  - Re: Anyone know this rootkit (rootkits?) (details and files attached) steveg (Jul 26)