|
Security Incidents
mailing list archives
Re: Anyone know this rootkit (rootkits?)
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Fri, 26 Jul 2002 09:37:03 -0400 (EDT)
Steve and all,
rootkit. It had files stored in /dev/\ \ \ , modified a bunch of
binaries including su, netstat, ls, ps, and ifconfig, and installed some
sort of sshd trojan in a whole bunch of places. Sound familiar to
anyone? (ie, who knows where I can learn more about it?)
Yeah, it fact it sounds like most rootkits I've seen.
While cleaning up the mess with that, things still weren't working so I
looked farther and discovered ANOTHER bunch of covert directories,
Sure, some kits deploy a sniffer in one place, sshd in another, adore
(have you found anyth kernel-level?) in yet another place.
Anyone hear of these? Is this one rootkit or more than one?
It can be one or it can be more. If you had no Tripwire/integrity
checking software there is no way to _reliably_ find all traces of the
penetreation. In fact, even if you do have it - it is still not likely.
Rebuilding the box is the most popular advice given in this list ;-)
Best,
--
Anton A. Chuvakin, Ph.D., GCIA
http://www.chuvakin.org
http://www.info-secure.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
