Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anyone know this rootkit (rootkits?)

From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Fri, 26 Jul 2002 09:37:03 -0400 (EDT)
Steve and all,


rootkit.  It had files stored in /dev/\ \ \ , modified a bunch of
binaries including su, netstat, ls, ps, and ifconfig, and installed some
sort of sshd trojan in a whole bunch of places.  Sound familiar to
anyone?  (ie, who knows where I can learn more about it?)

Yeah, it fact it sounds like most rootkits I've seen.


While cleaning up the mess with that, things still weren't working so I
looked farther and discovered ANOTHER bunch of covert directories,

Sure, some kits deploy a sniffer in one place, sshd in another, adore
(have you found anyth kernel-level?) in yet another place.


Anyone hear of these?  Is this one rootkit or more than one?

It can be one  or it can be more. If you had no Tripwire/integrity
checking software there is no way to _reliably_ find all traces of the
penetreation. In fact, even if you do have it - it is still not likely.
Rebuilding the box is the most popular advice given in this list ;-)

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: