fun with posiden rootkit
From: Olaf Schreck (chakl@syscall.de)Date: 03/25/02
- Previous message: Alvin Oga: "watching them -after the fact"
- Next in thread: Alvin Oga: "Re: fun with posiden rootkit"
- Reply: Alvin Oga: "Re: fun with posiden rootkit"
- Reply: Skip Carter: "Re: fun with posiden rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 25 Mar 2002 20:01:35 +0100 From: Olaf Schreck <chakl@syscall.de> To: incidents@securityfocus.com
Hi,
Today I cleaned up a freshly rooted (old and unmaintained) RedHat box.
Found a "posiden rootkit" with the usual stuff inside (modified ps, top,
find, netstat, ifconfig, syslogd, sshd; plus linsniffer, z2, wted, ..)
Rootkit config files were named /dev/ptyp, /dev/ptyr etc. Nothing fancy..
Now the fun part: Imagine my surprise finding /sbin/ifconfig being a
text file that said:
"This file was infected with a virus.
The file was quarantined by Norton AntiVirus.
Fri Oct 26 15:53:10 2001"
Sure enough, this ifconfig "binary" was already included in the rootkit
tar file. As we have never heard of Norton AntiVirus for Linux, we tend
to believe that poor kiddie downloaded the rootkit to his Windows box,
where his own Antivirus software shot himself in the foot.
Stupid, eh?
ciao,
chakl
-- I don't know why more people don't use tcpdump to debug these sorts of situations...does it need to be called something else? ipdebug? -- Darren Reed---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Alvin Oga: "watching them -after the fact"
- Next in thread: Alvin Oga: "Re: fun with posiden rootkit"
- Reply: Alvin Oga: "Re: fun with posiden rootkit"
- Reply: Skip Carter: "Re: fun with posiden rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
