Re: another rootkit - one more file

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Sun Jun 03 2001 - 04:43:21 PDT

Next message: Alfred Huger: "Filtering Traffic at the ISP"

Previous message: Alvin Oga: "Re: another rootkit"
In reply to: Alvin Oga: "Re: another rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi  ya

for those of you looking at this stuff,...

i missed one file ....  that tripwire found ...that i skipped over

-rwxr-xr-x   1 root     root        14443 May 31 09:54 /usr/lib/pt07*

thanx
alvin
http://www.Linux-Sec.net 


> On Sat, 2 Jun 2001, Michal Zalewski wrote:
> 
> > On Fri, 1 Jun 2001, Alvin Oga wrote:
> > 
> > > just was curious why i couldnt find any references on any of the
> > > "unique" keywords ( maniac-Rk, grabb, ipz.gz ...
> > 
> > I haven't seen it anywhere else, but it seems to be built using
> > publicly available, common stuff...
> > 
> > > -rwxr-xr-x   1 root     root         5043 Mar 23 07:18 addlen*
> > 
> > This is a program to pad replaced file with zeros to match its original
> > size.
> > 
> > > -rw-r--r--   1 root     root         5744 May 31 10:10 adore.o
> > > -rwxr-xr-x   1 root     root        14248 May 31 10:10 ava*
> > 
> > That is pretty popular kernel-level backdoor, designed by stealth (to
> > parts, kernel-space and user-space).
> > 
> > > -rwxr-xr-x   1 root     root         1080 Mar 23 07:48 clear_logs*
> > 
> > Hard to identify - pretty small, probably invokes vanish2 (is it a shell
> > script?).
> > 
> > > -rwxr-xr-x   1 root     root         7985 Mar 23 07:38 fix*
> > 
> > This one is used to fix checksums of files (not md5 digests ;).
> > 
> > > -rwxr-xr-x   1 root     root        10171 May  4 12:39 grabbb.gz*
> > 
> > That would be a banner scanner, publicly available.
> > 
> > > -rwxr-xr-x   1 root     root         5220 Jun  1 18:53 install.sh*
> > 
> > ...and this script would invoke 'addlen' and 'fix' ;)
> > 
> > > -rwxr-xr-x   1 root     root         4734 May  8 10:04 ipz.gz*
> > 
> > /* members.xoom.com/i0wnu
> >  * IPZ by Mixter (c) 1999
> >  * Generates IP Addresses for Class A/B/C SubNets
> >  * in non-sequential order (for unnoticed scanning). */
> > 
> > > -rwxr-xr-x   1 root     root        10496 Mar 23 07:48 pine.out*
> > 
> > (unidentified, probably worth a look)
> > 
> > > -rwxr-xr-x   1 root     root         9070 May  4 11:55 slice*
> > 
> > This seems to be one of DDoS attack proggies.
> > 
> > > -rwxr-xr-x   1 root     root        15335 May 31 09:58 ping*
> > 
> > Well, that would be standard ping utility, I presume, carried for some
> > reason.
> > 
> > > -rw-r--r--   1 root     root        19700 Jun  1 18:03 snifflog
> > > ---s--s--x   1 root     root        11869 Apr  4 19:10 sush*
> > 
> > This one is pretty interesting. I know only a few exploits that use this
> > name:
> > 
> >   - suidperl
> >   - old crontab exploit
> >   - Linux 2.2 capabilities exploit
> > 
> > But last two uses /tmp, not current directory, for creating 'sush'.
> > 
> > > -rwxr-xr-x   1 root     root        12405 May 31 09:38 vanish2.gz*
> > 
> > And that would be another log cleaner.
> > 
> > > -rwxr-xr-x   1 root     root        58068 May 19 06:58 wget.gz*
> > > -rwxr-xr-x   1 root     root        20445 Apr  2 12:24 bnc.gz*
> > > -rwxr-xr-x   1 root     root        14319 May 31 10:05 tty*
> > 
> > These proggies seems to be not harmful.
> > 
> > -- 
> > _____________________________________________________
> > Michal Zalewski [lcamtufat_private] [security]
> > [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
> > =-=> Did you know that clones never use mirrors? <=-=
> > 
> > 
> > 
> > 
> > 
>

Next message: Alfred Huger: "Filtering Traffic at the ISP"
Previous message: Alvin Oga: "Re: another rootkit"
In reply to: Alvin Oga: "Re: another rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 03 2001 - 11:44:57 PDT