Re: another rootkit

From: Michal Zalewski (lcamtufat_private)
Date: Sat Jun 02 2001 - 06:52:46 PDT

Next message: Jens Hektor: "Re: ISP Filtering (Survey of Sorts)"

Previous message: Nick FitzGerald: "Re: ISP Filtering (Survey of Sorts)"
In reply to: Alvin Oga: "another rootkit"
Next in thread: Alvin Oga: "Re: another rootkit"
Reply: Alvin Oga: "Re: another rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 1 Jun 2001, Alvin Oga wrote:

> just was curious why i couldnt find any references on any of the
> "unique" keywords ( maniac-Rk, grabb, ipz.gz ...

I haven't seen it anywhere else, but it seems to be built using
publicly available, common stuff...

> -rwxr-xr-x   1 root     root         5043 Mar 23 07:18 addlen*

This is a program to pad replaced file with zeros to match its original
size.

> -rw-r--r--   1 root     root         5744 May 31 10:10 adore.o
> -rwxr-xr-x   1 root     root        14248 May 31 10:10 ava*

That is pretty popular kernel-level backdoor, designed by stealth (to
parts, kernel-space and user-space).

> -rwxr-xr-x   1 root     root         1080 Mar 23 07:48 clear_logs*

Hard to identify - pretty small, probably invokes vanish2 (is it a shell
script?).

> -rwxr-xr-x   1 root     root         7985 Mar 23 07:38 fix*

This one is used to fix checksums of files (not md5 digests ;).

> -rwxr-xr-x   1 root     root        10171 May  4 12:39 grabbb.gz*

That would be a banner scanner, publicly available.

> -rwxr-xr-x   1 root     root         5220 Jun  1 18:53 install.sh*

...and this script would invoke 'addlen' and 'fix' ;)

> -rwxr-xr-x   1 root     root         4734 May  8 10:04 ipz.gz*

/* members.xoom.com/i0wnu
 * IPZ by Mixter (c) 1999
 * Generates IP Addresses for Class A/B/C SubNets
 * in non-sequential order (for unnoticed scanning). */

> -rwxr-xr-x   1 root     root        10496 Mar 23 07:48 pine.out*

(unidentified, probably worth a look)

> -rwxr-xr-x   1 root     root         9070 May  4 11:55 slice*

This seems to be one of DDoS attack proggies.

> -rwxr-xr-x   1 root     root        15335 May 31 09:58 ping*

Well, that would be standard ping utility, I presume, carried for some
reason.

> -rw-r--r--   1 root     root        19700 Jun  1 18:03 snifflog
> ---s--s--x   1 root     root        11869 Apr  4 19:10 sush*

This one is pretty interesting. I know only a few exploits that use this
name:

  - suidperl
  - old crontab exploit
  - Linux 2.2 capabilities exploit

But last two uses /tmp, not current directory, for creating 'sush'.

> -rwxr-xr-x   1 root     root        12405 May 31 09:38 vanish2.gz*

And that would be another log cleaner.

> -rwxr-xr-x   1 root     root        58068 May 19 06:58 wget.gz*
> -rwxr-xr-x   1 root     root        20445 Apr  2 12:24 bnc.gz*
> -rwxr-xr-x   1 root     root        14319 May 31 10:05 tty*

These proggies seems to be not harmful.

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=

Next message: Jens Hektor: "Re: ISP Filtering (Survey of Sorts)"
Previous message: Nick FitzGerald: "Re: ISP Filtering (Survey of Sorts)"
In reply to: Alvin Oga: "another rootkit"
Next in thread: Alvin Oga: "Re: another rootkit"
Reply: Alvin Oga: "Re: another rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 09:47:39 PDT