Re: New Rootkit?
From: Eoghan Casey (eco_at_corpus-delicti.com)
Date: 10/16/03
- Previous message: Thorsten Holz: "Re: New Rootkit?"
- In reply to: Probe Networks: "New Rootkit?"
- Next in thread: Alvin Wong: "Re: New Rootkit?"
- Reply: Alvin Wong: "Re: New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 11:45:46 -0400 To: Jonas "Frey (Probe Networks)" <jf@probe-networks.de>, incidents@securityfocus.com
This sounds like SucKIT (http://hysteria.sk/sd/f/suckit/) or a variant.
This has been in general use since last year. It injects itself
directly into kernel memory rather than using kernel loadable modules.
See the README (http://hysteria.sk/sd/f/suckit/readme):
Q: How I can make suckit to run automatically each reboot of machine ?
A: The generic way (as the install script does) is to
rename /sbin/init to /sbin/init<hidesuffix>, and place sk binary
instead of /sbin/init, so suckit will get resident imediatelly
after boot. However, when it will get resident, all of such changes
will be stealthed ;) If you can't fiddle with /sbin/init, you
still can place binary to somewhere into
/etc/rc.d/rc3.d/S##<hidesuffix>
or such.
Eoghan Casey
On Thursday, October 16, 2003, at 03:38 AM, Jonas Frey (Probe
Networks) wrote:
> Hello,
>
> we've just had a customer machine blasing some 50mbit into our lines
> with pretty high pps counts. After a short analysis we found out the
> init got replaced/backdoored and the original init was moved to
> /sbin/telinit. However the filesize on both files was the same. This is
> probably due to a lkm the rootkit uses to hide its existence.
> Chkrootkit did NOT find this rootkit. However it pointed us the right
> way saying the system had hidden processes running.
> After replacing init with a good version and updating the kernel we
> rebooted the box and found the hacked init as well as other programs of
> the rootkit beeing located in /etc/.MG/ (this directory was hidden
> before). Apparently this is a rootkit with a ddosnet touch.
> I've put up the files for further analysis at:
> http://81.2.144.1/rootkit/
>
>
> --
> Mit freundlichen Grüßen / With kind regards,
> Jonas Frey
>
>
> -----------------------------------------------------------------------
> ----
> FREE Whitepaper: Better Management for Network Security
>
> Looking for a better way to manage your IP security?
> Learn how Solsoft can help you:
> - Ensure robust IP security through policy-based management
> - Make firewall, VPN, and NAT rules interoperable across heterogeneous
> networks
> - Quickly respond to network events from a central console
>
> Download our FREE whitepaper at:
> http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
> -----------------------------------------------------------------------
> -----
>
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
- Previous message: Thorsten Holz: "Re: New Rootkit?"
- In reply to: Probe Networks: "New Rootkit?"
- Next in thread: Alvin Wong: "Re: New Rootkit?"
- Reply: Alvin Wong: "Re: New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
