New Rootkit?

From: Probe Networks (jf_at_probe-networks.de)
Date: 10/16/03

  • Next message: Thorsten Holz: "Re: New Rootkit?" 
    To: incidents@securityfocus.com
Date: 16 Oct 2003 09:38:54 +0200

    Hello,

    we've just had a customer machine blasing some 50mbit into our lines
    with pretty high pps counts. After a short analysis we found out the
    init got replaced/backdoored and the original init was moved to
    /sbin/telinit. However the filesize on both files was the same. This is
    probably due to a lkm the rootkit uses to hide its existence.
    Chkrootkit did NOT find this rootkit. However it pointed us the right
    way saying the system had hidden processes running.
    After replacing init with a good version and updating the kernel we
    rebooted the box and found the hacked init as well as other programs of
    the rootkit beeing located in /etc/.MG/ (this directory was hidden
    before). Apparently this is a rootkit with a ddosnet touch.
    I've put up the files for further analysis at:
    http://81.2.144.1/rootkit/ 

    -- 
Mit freundlichen Grüßen / With kind regards,
Jonas Frey
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
  • Next message: Thorsten Holz: "Re: New Rootkit?"

    Relevant Pages

    • Re: [PATCH] get_random_bytes returns the same on every boot
      ... > numbers are guessable, security might be compromised. ... Note that most init ... On some distros the network is configured before ... but it might have a few bits of entropy. ...
      (Linux-Kernel)
    • Re: Proof-of-Concept ideas , and some possible solutions.
      ... Single-user mode is used for administrative maintenance. ... A second level of security is available where physical security ... should see init and your console shell. ...
      (comp.unix.bsd.openbsd.misc)
    • Re: LINUX daemons - /etc/inittab spawned vs. /etc/rc.d/* spawned
      ... At first I wrote a makefile to replace the init scripts, ... With SysV-init, if one of the init scripts fail, it is not attempted ... And, if the network does ... There shoud be no limit to the number of named configurations allowed ...
      (comp.os.linux.development.system)
    • atheros card and radiotap headers
      ... adns warning: sendto failed: Network is unreachable ... ieee80211_newstate: SCAN -> INIT ... ieee80211_newstate: invalid transition ...
      (freebsd-questions)
    • Re: New Patch Fixes 43 Flaws In OS X, Many Serious
      ... It is when you talking about security. ... If you write it as pid = forkand don't check pid you are in trouble. ... correct error handling is always desirable. ... then init is in control. ...
      (comp.sys.mac.advocacy)