hi Michael ... thanx for your comments.. when i poked around with each individual keywords, i was surprised ...i found stuff NOT in google and alltheweb was hoping to find maniac-rk ... did find ava.c source code pine.out i think is just a mailer - didnt go poking around.. this rootkit package comes with its own tar too.... and wget can be used by them to download additional stuff from their website to the host they are targeting ... have fun alvin http://www.Linux-Sec.net On Sat, 2 Jun 2001, Michal Zalewski wrote: > On Fri, 1 Jun 2001, Alvin Oga wrote: > > > just was curious why i couldnt find any references on any of the > > "unique" keywords ( maniac-Rk, grabb, ipz.gz ... > > I haven't seen it anywhere else, but it seems to be built using > publicly available, common stuff... > > > -rwxr-xr-x 1 root root 5043 Mar 23 07:18 addlen* > > This is a program to pad replaced file with zeros to match its original > size. > > > -rw-r--r-- 1 root root 5744 May 31 10:10 adore.o > > -rwxr-xr-x 1 root root 14248 May 31 10:10 ava* > > That is pretty popular kernel-level backdoor, designed by stealth (to > parts, kernel-space and user-space). > > > -rwxr-xr-x 1 root root 1080 Mar 23 07:48 clear_logs* > > Hard to identify - pretty small, probably invokes vanish2 (is it a shell > script?). > > > -rwxr-xr-x 1 root root 7985 Mar 23 07:38 fix* > > This one is used to fix checksums of files (not md5 digests ;). > > > -rwxr-xr-x 1 root root 10171 May 4 12:39 grabbb.gz* > > That would be a banner scanner, publicly available. > > > -rwxr-xr-x 1 root root 5220 Jun 1 18:53 install.sh* > > ...and this script would invoke 'addlen' and 'fix' ;) > > > -rwxr-xr-x 1 root root 4734 May 8 10:04 ipz.gz* > > /* members.xoom.com/i0wnu > * IPZ by Mixter (c) 1999 > * Generates IP Addresses for Class A/B/C SubNets > * in non-sequential order (for unnoticed scanning). */ > > > -rwxr-xr-x 1 root root 10496 Mar 23 07:48 pine.out* > > (unidentified, probably worth a look) > > > -rwxr-xr-x 1 root root 9070 May 4 11:55 slice* > > This seems to be one of DDoS attack proggies. > > > -rwxr-xr-x 1 root root 15335 May 31 09:58 ping* > > Well, that would be standard ping utility, I presume, carried for some > reason. > > > -rw-r--r-- 1 root root 19700 Jun 1 18:03 snifflog > > ---s--s--x 1 root root 11869 Apr 4 19:10 sush* > > This one is pretty interesting. I know only a few exploits that use this > name: > > - suidperl > - old crontab exploit > - Linux 2.2 capabilities exploit > > But last two uses /tmp, not current directory, for creating 'sush'. > > > -rwxr-xr-x 1 root root 12405 May 31 09:38 vanish2.gz* > > And that would be another log cleaner. > > > -rwxr-xr-x 1 root root 58068 May 19 06:58 wget.gz* > > -rwxr-xr-x 1 root root 20445 Apr 2 12:24 bnc.gz* > > -rwxr-xr-x 1 root root 14319 May 31 10:05 tty* > > These proggies seems to be not harmful. > > -- > _____________________________________________________ > Michal Zalewski [lcamtufat_private] [security] > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: > =-=> Did you know that clones never use mirrors? <=-= > > > > >
This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 10:04:29 PDT