Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

KdS terminal logger

From: Michael Ducy <mfdii () yahoo com>
Date: Mon, 5 Apr 2004 20:57:08 -0700 (PDT)
I recently find a terminal logger (or keystroke logger
if you prefer) on a machine I am responsible for.   I
was unable to find any information about it and was
wondering if anyone else has seen it.  I believe the
name of it is KdS .

It consists of 3 files, /usr/bin/swap, /.mount/sa1,
and /.mount/libgc.so.  rc.sysinit (RedHat 7.3 machine)
was modified to call /usr/bin/swap on line 647, right
after swap is mounted.  running strings on
/usr/bin/swap shows that it cd's to /.mount, adds
/.mount to the PATH, and calls /.mount/sa1 . 
/.mount/sa1 modifies the kernel space to intercept
system calls to hide the /.mount directory and the
Process from ps,top, etc.  These "feature" can be
turned on and off by running /.mount/sa1  and passing
a f or p flag.  /.mount/sa1 watches the terminals
(tty, pty, etc)  for calls to programs such as scp,
ssh, telnet, ftp, login, etc.  The output of these
programs are logged to /.mount/libgc.so which is just
a plain text file.  

There doesn't seem to be any network functionality to
this program.  Examining the PID directory in /proc
shows no open sockects (nor does netstat, but that
cannot really be trusted). I didn't pickup any packets
coming accross the network when running tcpdump. 

If anyone has any information regarding this kit, it
would be greatly appreciated. 

Thanks,
Michael

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: