Home page logo
/

basics logo Security Basics mailing list archives

Re: optic rootkit / xsf/xchk?
From: Leonardo Piacentini <l.piacentini () email it>
Date: Sat, 1 Nov 2003 01:13:56 +0100

Wed, 29 Oct 2003 16:55:24 +0100
Jan De Luyck <ml () kcore org> ha scritto:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Recently one of the rather old linux-boxes at my company got into trouble 
(didn't know it existed earlier). Did some checking, and the box has been 
rooted.

I've been looking for more information on this rootkit, but I have been unable 
to find anything besides this:

http://cert.uni-stuttgart.de/archive/incidents/2002/01/msg00148.html

So I'm wondering if anyone can tell me some more about this thing?

Reinstallation is planned to happen soon.

Thanks.

Jan

A lot of times it happens that there are rootkits which are not "standard", like t0rn, tux, etc... but they are 
restricted to a crew or something else. They could be made from modified binaries and other stuff taken from those kits 
anyway. I'd suggest you to keep an md5sum for binaries and system config files under /etc. Check also the presence of 
lkm.

Leo

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: optic rootkit / xsf/xchk? Leonardo Piacentini (Nov 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault