Re: RootKits Question

From: Devdas Bhagat (devdas@worldgatein.net)
Date: 08/01/01


From: Devdas Bhagat <devdas@worldgatein.net>
To: "Nick Lange" <nlange@usb.com>, <focus-linux@securityfocus.com>
Subject: Re: RootKits Question
Date: Wed, 1 Aug 2001 22:33:12 +0530
Message-Id: <01080122361601.14517@office.interoffice>

On Wed, 01 Aug 2001, Nick Lange spewed into the ether:
> Does anyone know of any rootkits off the top of their head that leave a
> /sbin/a.out behind?
I think the incidents list might be a better place for this.
I don't know of any such kit.

> I'm fairly certain I got rooted two days ago (didn't look at yesterdays
> security report like an idiot...)
> the md5 / file checks show a new file, /sbin/a.out with MD5
> 0x4b689a480ff3ff85862e94d05125ac26 : /sbin/a.out
strings on a.out? Command history, if any is left?

> The machine was a redhat install but patched up from all relevant security
> advisories (or so I thought, the only one I can see is maybe xinetd)...
netstat, lsof, fuser?

> I left sshd, apache + php 4.0.6,datapipe.c (see www.rootshell.com / search),
> mysql*[I meant to firewall that off but never got around to it] listening on
> the external interface, and I *had* no local users so it has to be something
> there...
Anyother admin compiling something in /sbin? You doing something like
this?

> anyone seen anything? a quick search for /sbin/a.out reveals nothing
> it may have been datapipe.c but I doubt that as well, as it's simply a port
> forwarder [for auth port]
Move to a throwaway machine and strace it. strings a.out might help,
and maybe gdb a.out.
See if you can see any more new files, particularly *.[cC]*

Devdas Bhagat



Relevant Pages

  • Re: RootKits Question
    ... Subject: RootKits Question ... to compile and you typed: ... If you want to find out more about this exectable type use the strings ... The first command will list all the strings in the executable, ...
    (Focus-Linux)
  • RootKits Question
    ... Subject: RootKits Question ... Does anyone know of any rootkits off the top of their head that leave a ... security report like an idiot...) ... forwarder [for auth port] ...
    (Focus-Linux)