Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

rootkit entertainment

From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>
Date: Tue, 5 Jun 2001 03:04:55 -0700 (PDT)

hi ya

i've been checking my tripwire logs more carefully
due to the other rootkit in my lan...

found another rootkit in another dns server at a different
domain/building/isp
        - they installed cyberkit.tgz into /etc/named/

        - i dont think they did anything... no other files found
        ( that server does not have tar installed :-)

        - it is a rh-6.0 that was patched to bind-8.2.3-REL
        but looks like the rpm patch failed ???

        ==>> dont trust that rpm finished properly ?? ===

        - i reinstalled the bind patch again...

        - for now... thats where i'm pointing the finger...
        ( that its an oops...on patch installs across the net/lan

        - there is also one ftp connect entry for that time
        about 3 minute before the time stamp for cyberkit.tgz
                ( wu-2.6.0(1) )
                - time to patch that anonymous ftpd one ...

by now...
i think they've figured out that they need to bring along 
a statically linked tar separately to unpack their kit...

have fun
alvin
http://www.Linux-Sec.net



my local copy:
http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/

- the contents of cyberkit.tgz ( not listed at packetstrom either )
        tar ztvf cyberkit.tgz

drwxr-xr-x 834/xfs           0 2001-05-22 23:03 CyberRK/
drwxr-xr-x 834/xfs           0 2000-09-13 02:50 CyberRK/dev/
-rw-r--r-- 834/xfs          26 2001-05-22 23:03 CyberRK/dev/.1addr
-rw-r--r-- 834/xfs          21 1999-09-09 08:48 CyberRK/dev/.1logz
-rw-r--r-- 834/xfs          60 2001-02-28 21:22 CyberRK/dev/.1proc
-rw-r--r-- 834/xfs          72 2000-06-16 21:55 CyberRK/dev/.1file
-rwxr-xr-x 834/xfs       57452 1999-03-29 14:05 CyberRK/find
-rwxr-xr-x 834/xfs          18 2001-04-16 11:21 CyberRK/hack
-rwxr-xr-x 834/xfs       53364 2001-04-11 00:15 CyberRK/netstat
-rwxr-xr-x 834/xfs        4568 2000-09-13 03:43 CyberRK/pg
-rwxr-xr-x 834/xfs       13184 2000-08-22 11:28 CyberRK/pstree
-rw-r--r-- 834/xfs      100424 2000-08-23 07:47 CyberRK/ssh.tgz
-rwxr-xr-x 834/xfs        1382 2000-07-24 23:07 CyberRK/sz
-rwxr-xr-x 834/xfs        7724 2001-05-22 23:03 CyberRK/t0rn
-rwxr-xr-x 834/xfs      266140 1999-04-03 10:09 CyberRK/top
-rwx------ 834/xfs        7165 1998-08-06 03:36 CyberRK/linsniffer
-rwx------ 834/xfs          75 1999-10-28 14:11 CyberRK/logclear
-rwxr-xr-x 834/xfs        4060 1999-03-05 06:59 CyberRK/sense
-rwx------ qmaill/502     8268 1999-10-16 06:13 CyberRK/sl3
drwxr-xr-x 711/users         0 2001-05-22 23:03 CyberRK/.t0rn/
.. end of list ...
Previous By Date Next
Previous By Thread Next

Current thread: