speaking of rootkits

[jlewis () lewis org]

I've recently encountered a rootkit I've not seen before.  It's a linux
one that replaces a bunch of binaries in /bin (things like ls, cp, grep, 
hostname, df, dd, and a bunch of others).  The feature I haven't seen 
before is that if you replace one of these binaries with a non-rootkit 
version, the file is re-replaced within seconds.  Also, executing one of 
them (ls for instance) while the system is booted single user will cause 
network modules to be loaded, eth0 to be put in promiscuous mode, and a 
bunch of net-pf-14 module requests.  

Anyone else seen/encountered this?  I have copies of the rootkit binaries, 
but no source, and I haven't had the time yet to put them on a disposable 
system and closely monitor what they do and how the re-replacement works.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |  
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------