speaking of rootkits

jlewis_at_lewis.org
Date: 06/28/03

  • Next message: Paolo Monti: "Re: possible new irc worm"
    Date: Sat, 28 Jun 2003 13:43:26 -0400 (EDT)
    To: Incidents List <incidents@securityfocus.com>
    
    

    I've recently encountered a rootkit I've not seen before. It's a linux
    one that replaces a bunch of binaries in /bin (things like ls, cp, grep,
    hostname, df, dd, and a bunch of others). The feature I haven't seen
    before is that if you replace one of these binaries with a non-rootkit
    version, the file is re-replaced within seconds. Also, executing one of
    them (ls for instance) while the system is booted single user will cause
    network modules to be loaded, eth0 to be put in promiscuous mode, and a
    bunch of net-pf-14 module requests.

    Anyone else seen/encountered this? I have copies of the rootkit binaries,
    but no source, and I haven't had the time yet to put them on a disposable
    system and closely monitor what they do and how the re-replacement works.

    ----------------------------------------------------------------------
     Jon Lewis *jlewis@lewis.org*| I route
     System Administrator | therefore you are
     Atlantic Net |
    _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Paolo Monti: "Re: possible new irc worm"