On Mon, 4 Jun 2001, Michal Zalewski wrote: Hello, that is a rootkit writen in portuguese -> brasilian, and most of the brasil ip's begin with 200. , that is quite normal, since brasil doesnt have a good lesgilation. > > Alvin told me it might be good to forward it to INCIDENTS. There are my > comments on the binaries of this rootkit I got from him - you might want > to check if you have one already ;-): > > - The rootkit itself is called 'ManiaC r00tkit' (how pathetic). We > were not able to find it anywhere on the net (searching for filenames > and such), so I presume it is pretty new, > > - It consists of a sniffer, few trivial backdoors, DoS tools, bnc > IRC bouncer, setuid shell and so on. It uses Ava/Adore kernel module to > hide itself, and replaces few binaries, modifies one rc script - it > is not too advanced, > > - Rootkit installation script: > > echo "Copiando os arquivos necess.rios." > > This sounds like Portuguese or so, which probably tells us about > its origins. > > - It removes few patterns from logfiles. That would be: 200.195.86.*, > 200.248.162.*, 200.195.121.*, 200.243.17.*, netdados.com.br, > usinet.com.br - I presume these are networks attacker used for > defacements (how smart to put them in the script in this form!), > > - It sends information about machine to tuiqoitu039t09q3at_private, > bnadfjg9023at_private, t391u9t0qit@end-war.com, mki62969oat_private > One of these mailboxes is still working (bigfoot.com, others are > provided as a decay or so), > > - pt07 and mailrc binaries are backdoors. Listening on 56789/tcp, with > password "include.h", it hides under the name of "klogd": > > Trying 0.0.0.0... > Connected to 0. > Escape character is '^]'. > include.h > > Bem Vindo MaNiAc 31337 a sua makina! > Voce Tem o controle! =) > > bash: no job control in this shell > bash-2.01# > Once again, I haven't seen any mention of this backdoor port anywhere. > > Hope that helps, > -- Gonçalo Gomes
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 09:29:07 PDT