Re: New Rootkit?
From: Thorsten Holz (thorsten.holz_at_mmweg.rwth-aachen.de)
Date: 10/16/03
- Previous message: Probe Networks: "New Rootkit?"
- In reply to: Probe Networks: "New Rootkit?"
- Next in thread: Eoghan Casey: "Re: New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 17:44:08 +0200 To: incidents@securityfocus.com
On Thu Oct 16 09:38:54 2003 Jonas Frey (Probe Networks) wrote:
> I've put up the files for further analysis at:
> http://81.2.144.1/rootkit/
Looks like a modified version of suckit:
$ strings init | grep -i suckit
Suckit uninstalled sucesfully!
$ strings init | grep -i ***
***: Can't allocate raw socket (%d)
***: Can't fork child (%d)
***: Failed to uninstall (%d)
***: Failed to hide pid %d (%d)
***: Failed to unhide pid %d (%d)
***: Can't open %s for read/write (%d)
***: IDT table read failed (offset 0x%08x)
***: Can't find sys_call_table[]
***: Can't find kmalloc()!
***: Can't read syscall %d addr
***: Out of kernel memory!
***: Got signal %d while manipulating kernel!
SuckIT ( http://hysteria.sk/sd/f/suckit ) was published in Phrack #58.
It doesn't depend on loadable kernel module support, works via
/dev/kmem...
"at" looks like imp:
"Imp is a denial of service tool which sends SYN floods. Some people
call this one slice3. Dynamically linked with libc5. By Sinkhole."
[from http://packetstormsecurity.nl/DoS/]
HTH,
thorsten
- application/pgp-signature attachment: stored
- Previous message: Probe Networks: "New Rootkit?"
- In reply to: Probe Networks: "New Rootkit?"
- Next in thread: Eoghan Casey: "Re: New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
