Anyone know this rootkit (rootkits?)

From: Steve Bougerolle (steveb@creek-and-cowley.com)
Date: 07/25/02

• Previous message: Patrick Andry: "Re: Bind 9.2.X exploit???"
• Next in thread: SilentCreek: "Re: Anyone know this rootkit (rootkits?)"
• Reply: SilentCreek: "Re: Anyone know this rootkit (rootkits?)"
• Reply: Anton A. Chuvakin: "Re: Anyone know this rootkit (rootkits?)"
• Reply: Steve Bougerolle: "Re: Anyone know this rootkit (rootkits?) (details and files attached)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Steve Bougerolle <steveb@creek-and-cowley.com>
To: incidents@securityfocus.com
Date: 25 Jul 2002 23:26:27 +0800

I was trying to fix up a crashed Red Hat linux 7.2 server for a client today, and
after a bit of fiddling discovered what looks pretty clearly like a
rootkit. It had files stored in /dev/\ \ \ , modified a bunch of
binaries including su, netstat, ls, ps, and ifconfig, and installed some
sort of sshd trojan in a whole bunch of places. Sound familiar to
anyone? (ie, who knows where I can learn more about it?)

While cleaning up the mess with that, things still weren't working so I
looked farther and discovered ANOTHER bunch of covert directories,
called /dev/.id, /dev/.sh and /dev/.so (IIRC). These were linked to an
entry in the rc.local boot script which powered up something in /dev/.id
(didn't have time to note the details yet, sorry).

Anyone hear of these? Is this one rootkit or more than one?

-- 
Steve Bougerolle
Creek & Cowley Consulting
http://www.creek-and-cowley.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

---

• Previous message: Patrick Andry: "Re: Bind 9.2.X exploit???"
• Next in thread: SilentCreek: "Re: Anyone know this rootkit (rootkits?)"
• Reply: SilentCreek: "Re: Anyone know this rootkit (rootkits?)"
• Reply: Anton A. Chuvakin: "Re: Anyone know this rootkit (rootkits?)"
• Reply: Steve Bougerolle: "Re: Anyone know this rootkit (rootkits?) (details and files attached)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ssh or http connections from windows or solaris machines hang ... > But since you also have problems with Win ssh client and http for either, ... you might need to match mtu of the nic on your server with the mtu ... Connection closed by foreign host. ... Server: Apache/2.0.40 (Red Hat Linux) ... (comp.os.linux.networking) Re: Flushing Sockets in C? ... > It's basically a bunch of small send calls in rapid succession.... ... > the client. ... the server recieves the data... ... (comp.unix.programmer) How can I prevent TCP/IP from grouping together multiple SendText requests into one packet? ... Right now my client sends the word "UPDATE" to my server and the server ... then sends a bunch of packets that contain artist name, ... grouping lots of SendText requests into one TCP/IP packet and then it ... (comp.lang.pascal.delphi.misc) PrintDocument Problem - Need to print locally ... I understand there is no way for the Server to see the Client ... but I have a routine that generates a bunch of bar codes on ... (microsoft.public.dotnet.framework.aspnet) How to determine size of object? ... The server application needs to return a ... bunch of data to the client. ... persisting a collection to a string and then compressing the string for ... (comp.lang.basic.visual.misc)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2002-07