zoot - malignant kernel module

From: Ragnar Wisl°ff (ragnar@wisloff.no)
Date: 11/03/01

Message-Id: <200111032142.WAA02772@mail47.fg.online.no>
From: Ragnar Wisl°ff <ragnar@wisloff.no>
To: <focus-linux@lists.securityfocus.com>
Subject: zoot - malignant kernel module
Date: Sat, 3 Nov 2001 22:41:14 +0100


I've looked in vain around the net for some info on a kernel module and
probably root kit identified as "zoot".

Some symptoms on a RHL 6.2 running 2.2.19 and with most updates applied:

pop3 (imap-2000-3.phall) not responding
netstat segfaulting
inetd.conf empty
dmesg showed: zootsniff uses obsolete (PF_INET,SOCK_PACKET)
rc.sysinit modified, a line probably loading the module had been added
a number of .zoot* files in /

Anyone seen this? What does it do? Any info appreciated.

Ragnar Wisl°ff
life is a reach. then you gybe