speaking of rootkits

jlewis_at_lewis.org
Date: 06/28/03

  • Next message: Paolo Monti: "Re: possible new irc worm"
    Date: Sat, 28 Jun 2003 13:43:26 -0400 (EDT)
    To: Incidents List <incidents@securityfocus.com>
    
    

    I've recently encountered a rootkit I've not seen before. It's a linux
    one that replaces a bunch of binaries in /bin (things like ls, cp, grep,
    hostname, df, dd, and a bunch of others). The feature I haven't seen
    before is that if you replace one of these binaries with a non-rootkit
    version, the file is re-replaced within seconds. Also, executing one of
    them (ls for instance) while the system is booted single user will cause
    network modules to be loaded, eth0 to be put in promiscuous mode, and a
    bunch of net-pf-14 module requests.

    Anyone else seen/encountered this? I have copies of the rootkit binaries,
    but no source, and I haven't had the time yet to put them on a disposable
    system and closely monitor what they do and how the re-replacement works.

    ----------------------------------------------------------------------
     Jon Lewis *jlewis@lewis.org*| I route
     System Administrator | therefore you are
     Atlantic Net |
    _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Paolo Monti: "Re: possible new irc worm"

    Relevant Pages

    • Re: No binaries here (was Re: Whats missing? Panther 13 spoiler)
      ... "A bunch of stuff about how if it's not specifically ... it isn't allowed, that binaries have their own binary specific ngs, ... dropped by ISPs. ... Selfish dickheads continue to try to post them, ...
      (rec.arts.comics.marvel.universe)
    • Re: Java based virus attacks Windows computers, Linux and Mac
      ... a rootkit does not /give/ anyone root access to the machine. ... the rootkit does this by replacing the binaries of a ... The system boots with the root filesystem mounted read/write, ...
      (comp.os.linux.misc)
    • Re: Netgear RP614 leaking
      ... City: Vancouver ... If there's a bunch of udp to a bunch of random different places, that's a reason to believe you've got some peer-to-peer type of software installed, either by intention or rootkit. ...
      (comp.os.linux.networking)
    • No binaries here (was Re: Whats missing? Panther 13 spoiler)
      ... (A bunch of stuff about how if it's not specifically banned, ... binaries to a non *.binaries group. ... that did put it in the FAQ were just being obsessively completist. ...
      (rec.arts.comics.marvel.universe)
    • Re: Append to PATH using REG file?
      ... I have a bunch of programs and utilities that don't have ... installers; they are just binaries that can be run from ... David Candy wrote: ...
      (microsoft.public.windowsxp.general)