rootkit entertainment

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Tue Jun 05 2001 - 03:04:55 PDT

Next message: GiulioMaria Fontana: "Rootkit t0rn modified ?"

Previous message: Russell Fulton: "Re: ICMP code 3 type 2 scans?"
Next in thread: Nate Carlson: "Re: rootkit entertainment"
Reply: Nate Carlson: "Re: rootkit entertainment"
Reply: Alex Brock: "Re: rootkit entertainment"
Reply: tmiller: "Re: rootkit entertainment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi ya

i've been checking my tripwire logs more carefully
due to the other rootkit in my lan...

found another rootkit in another dns server at a different
domain/building/isp
	- they installed cyberkit.tgz into /etc/named/

	- i dont think they did anything... no other files found
	( that server does not have tar installed :-)

	- it is a rh-6.0 that was patched to bind-8.2.3-REL
	but looks like the rpm patch failed ???

	==>> dont trust that rpm finished properly ?? ===

	- i reinstalled the bind patch again...

	- for now... thats where i'm pointing the finger...
	( that its an oops...on patch installs across the net/lan

	- there is also one ftp connect entry for that time
	about 3 minute before the time stamp for cyberkit.tgz
		( wu-2.6.0(1) )
		- time to patch that anonymous ftpd one ...

by now...
i think they've figured out that they need to bring along 
a statically linked tar separately to unpack their kit...

have fun
alvin
http://www.Linux-Sec.net



my local copy:
http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/

- the contents of cyberkit.tgz ( not listed at packetstrom either )
	tar ztvf cyberkit.tgz

drwxr-xr-x 834/xfs           0 2001-05-22 23:03 CyberRK/
drwxr-xr-x 834/xfs           0 2000-09-13 02:50 CyberRK/dev/
-rw-r--r-- 834/xfs          26 2001-05-22 23:03 CyberRK/dev/.1addr
-rw-r--r-- 834/xfs          21 1999-09-09 08:48 CyberRK/dev/.1logz
-rw-r--r-- 834/xfs          60 2001-02-28 21:22 CyberRK/dev/.1proc
-rw-r--r-- 834/xfs          72 2000-06-16 21:55 CyberRK/dev/.1file
-rwxr-xr-x 834/xfs       57452 1999-03-29 14:05 CyberRK/find
-rwxr-xr-x 834/xfs          18 2001-04-16 11:21 CyberRK/hack
-rwxr-xr-x 834/xfs       53364 2001-04-11 00:15 CyberRK/netstat
-rwxr-xr-x 834/xfs        4568 2000-09-13 03:43 CyberRK/pg
-rwxr-xr-x 834/xfs       13184 2000-08-22 11:28 CyberRK/pstree
-rw-r--r-- 834/xfs      100424 2000-08-23 07:47 CyberRK/ssh.tgz
-rwxr-xr-x 834/xfs        1382 2000-07-24 23:07 CyberRK/sz
-rwxr-xr-x 834/xfs        7724 2001-05-22 23:03 CyberRK/t0rn
-rwxr-xr-x 834/xfs      266140 1999-04-03 10:09 CyberRK/top
-rwx------ 834/xfs        7165 1998-08-06 03:36 CyberRK/linsniffer
-rwx------ 834/xfs          75 1999-10-28 14:11 CyberRK/logclear
-rwxr-xr-x 834/xfs        4060 1999-03-05 06:59 CyberRK/sense
-rwx------ qmaill/502     8268 1999-10-16 06:13 CyberRK/sl3
drwxr-xr-x 711/users         0 2001-05-22 23:03 CyberRK/.t0rn/
.. end of list ...

Next message: GiulioMaria Fontana: "Rootkit t0rn modified ?"
Previous message: Russell Fulton: "Re: ICMP code 3 type 2 scans?"
Next in thread: Nate Carlson: "Re: rootkit entertainment"
Reply: Nate Carlson: "Re: rootkit entertainment"
Reply: Alex Brock: "Re: rootkit entertainment"
Reply: tmiller: "Re: rootkit entertainment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 10:12:30 PDT