|
Security Incidents
mailing list archives
New Rootkit?
From: Jonas "Frey (Probe Networks)" <jf () probe-networks de>
Date: 16 Oct 2003 09:38:54 +0200
Hello,
we've just had a customer machine blasing some 50mbit into our lines
with pretty high pps counts. After a short analysis we found out the
init got replaced/backdoored and the original init was moved to
/sbin/telinit. However the filesize on both files was the same. This is
probably due to a lkm the rootkit uses to hide its existence.
Chkrootkit did NOT find this rootkit. However it pointed us the right
way saying the system had hidden processes running.
After replacing init with a good version and updating the kernel we
rebooted the box and found the hacked init as well as other programs of
the rootkit beeing located in /etc/.MG/ (this directory was hidden
before). Apparently this is a rootkit with a ddosnet touch.
I've put up the files for further analysis at:
http://81.2.144.1/rootkit/
--
Mit freundlichen Grüßen / With kind regards,
Jonas Frey
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- New Rootkit? Frey (Probe Networks) (Oct 16)
|
Intro
