Re: fun with posiden rootkit

From: Alvin Oga (alvin.sec@Mail.Linux-Consulting.com)
Date: 03/25/02 

Date: Mon, 25 Mar 2002 13:44:56 -0800 (PST)
From: Alvin Oga <alvin.sec@Mail.Linux-Consulting.com>
To: Olaf Schreck <chakl@syscall.de>

hi olaf

ifconfig could have just been replaced with a text file
tooo ... that when you reboot... the machine wont get online
since ifconfig is not there to setup the network ??

or more likely, as you say, they shot themself in the foot

other anti-virus sw running on linux
        http://www.Linux-Sec.net/Mail/#AntiVirus

c ya
alvin

- sometimes checking failed script-kiddies can be entertaining if time
  permits to look around for any funny stuff

On Mon, 25 Mar 2002, Olaf Schreck wrote:

> Hi,
>
> Today I cleaned up a freshly rooted (old and unmaintained) RedHat box.
> Found a "posiden rootkit" with the usual stuff inside (modified ps, top,
> find, netstat, ifconfig, syslogd, sshd; plus linsniffer, z2, wted, ..)
> Rootkit config files were named /dev/ptyp, /dev/ptyr etc. Nothing fancy..
>
> Now the fun part: Imagine my surprise finding /sbin/ifconfig being a
> text file that said:
>
> "This file was infected with a virus.
> The file was quarantined by Norton AntiVirus.
> Fri Oct 26 15:53:10 2001"
>
> Sure enough, this ifconfig "binary" was already included in the rootkit
> tar file. As we have never heard of Norton AntiVirus for Linux, we tend
> to believe that poor kiddie downloaded the rootkit to his Windows box,
> where his own Antivirus software shot himself in the foot.
>
> Stupid, eh?
>
>
> ciao,
> chakl
> --
> I don't know why more people don't use tcpdump to debug these sorts of
> situations...does it need to be called something else? ipdebug?
> -- Darren Reed
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: just running tcpdump makes promisc mode?
    ... Just two words to say that modern rootkit (pardon me my friend but Tornkit ... is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... of an interface that was legitimately set in promiscuous mode by the ... administrator (e.g. when running tcpdump or snort). ...
    (Focus-Linux)
  • Re: just running tcpdump makes promisc mode?
    ... > Just two words to say that modern rootkit (pardon me my friend but Tornkit ... > is pretty old nowadays) now has trojaned binaries like ps, ls, ifconfig etc ... > the promisc mode set by the admin. ... > administrator (e.g. when running tcpdump or snort). ...
    (Focus-Linux)
  • Re: hpd, afb, sc, and sn
    ... A rootkit is what a hacker uses to hide & often includes backdoors for later access. ... If however you are able to login to the server without adjusting wtmp or utmp then you are in a 'better' position to recover the memory contents. ... ps & top were modified to hide processes, netstat to hide network connections, and ifconfig to hide PROMISC mode. ... > This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)