New breed of Linux w0rmkit

From: Arthur Donkers (arthurat_private)
Date: Tue May 22 2001 - 00:15:23 PDT

Next message: spaceork: "Re: Several probes from"

Previous message: Eugene Geldenhuys: "IP_MASQ:reverse ICMP: failed checksum from www.xxx.yyy.zzz!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi All,

Look what we found in our honeypot this morning:

A new breed of the Linux w0rmkit that uses the adore module to hide itself.
The backdoor listens on 12345 and is a 1.2.26 sshd with a preprogrammed
password of h4ck3d!

It is a more advanced version of the earlier w0rmkit since it uses the
adore kernel based rootkit and chattr to make itself permanent on a system.
It exploits the usual Linux vulnerabilities (the same scanner as w0rmkit)
to gain access.

Grtz,

Arthur

--
/* Disclaimer :   you hire my skills, not my opinions, those are mine !    */
/* email : arthurat_private    Security    'Me ? I'm not me ! I'm just a   */
/* phone : (+31) 50 549 2701   is not a     computer simulation of me'     */
/* URL http://www.reseau.nl   dirty word      Red Dwarf, First Episode     */

Next message: spaceork: "Re: Several probes from"
Previous message: Eugene Geldenhuys: "IP_MASQ:reverse ICMP: failed checksum from www.xxx.yyy.zzz!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 22 2001 - 08:37:26 PDT