Re: Anyone know this rootkit (rootkits?)

From: Anton A. Chuvakin (anton@chuvakin.org)
Date: 07/26/02 

Date: Fri, 26 Jul 2002 09:37:03 -0400 (EDT)
From: "Anton A. Chuvakin" <anton@chuvakin.org>
To: Steve Bougerolle <steveb@creek-and-cowley.com>

Steve and all,

>rootkit. It had files stored in /dev/\ \ \ , modified a bunch of
>binaries including su, netstat, ls, ps, and ifconfig, and installed some
>sort of sshd trojan in a whole bunch of places. Sound familiar to
>anyone? (ie, who knows where I can learn more about it?)
Yeah, it fact it sounds like most rootkits I've seen.

>While cleaning up the mess with that, things still weren't working so I
>looked farther and discovered ANOTHER bunch of covert directories,
Sure, some kits deploy a sniffer in one place, sshd in another, adore
(have you found anyth kernel-level?) in yet another place.

>Anyone hear of these? Is this one rootkit or more than one?
It can be one or it can be more. If you had no Tripwire/integrity
checking software there is no way to _reliably_ find all traces of the
penetreation. In fact, even if you do have it - it is still not likely.
Rebuilding the box is the most popular advice given in this list ;-)

Best, 

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com