Security Incidents: Re: Anyone know this rootkit (rootkits?)

["Conjuror" <conjuror () myrealbox com>]

Hi,

i guess its the "tuxkit" rootkit, which the attacker has installed on ur
machine.
This rootkit as to my knowledge, opens up an ssh shell , replaces the
binaries ps,ls,su etc etc.
U might get some pointers on google if u search for tuxkit. Its a relatively
new rootkit...well not that new right now..!!
Hope that helps.

Cheers,
-Kartik.



> I was trying to fix up a crashed Red Hat linux 7.2 server for a client
today, and
> after a bit of fiddling discovered what looks pretty clearly like a
> rootkit.  It had files stored in /dev/\ \ \ , modified a bunch of
> binaries including su, netstat, ls, ps, and ifconfig, and installed some
> sort of sshd trojan in a whole bunch of places.  Sound familiar to
> anyone?  (ie, who knows where I can learn more about it?)
>
> While cleaning up the mess with that, things still weren't working so I
> looked farther and discovered ANOTHER bunch of covert directories,
> called /dev/.id, /dev/.sh and /dev/.so (IIRC).  These were linked to an
> entry in the rc.local boot script which powered up something in /dev/.id
> (didn't have time to note the details yet, sorry).
>
> Anyone hear of these?  Is this one rootkit or more than one?
>
> --
> Steve Bougerolle
> Creek & Cowley Consulting
>
> http://www.creek-and-cowley.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com