Alvin Oga wrote: > > hi ya > > i've been checking my tripwire logs more carefully > due to the other rootkit in my lan... > > found another rootkit in another dns server at a different > domain/building/isp > - they installed cyberkit.tgz into /etc/named/ > > - i dont think they did anything... no other files found > ( that server does not have tar installed :-) > > - it is a rh-6.0 that was patched to bind-8.2.3-REL > but looks like the rpm patch failed ??? > > ==>> dont trust that rpm finished properly ?? === > > - i reinstalled the bind patch again... > > - for now... thats where i'm pointing the finger... > ( that its an oops...on patch installs across the net/lan > > - there is also one ftp connect entry for that time > about 3 minute before the time stamp for cyberkit.tgz > ( wu-2.6.0(1) ) > - time to patch that anonymous ftpd one ... > > by now... > i think they've figured out that they need to bring along > a statically linked tar separately to unpack their kit... > > have fun > alvin > http://www.Linux-Sec.net > > > > my local copy: > http://Lsec.Linux-Consulting.com/Hacker_Tools_Found/ > > - the contents of cyberkit.tgz ( not listed at packetstrom either ) > tar ztvf cyberkit.tgz > > drwxr-xr-x 834/xfs 0 2001-05-22 23:03 CyberRK/ > drwxr-xr-x 834/xfs 0 2000-09-13 02:50 CyberRK/dev/ > -rw-r--r-- 834/xfs 26 2001-05-22 23:03 CyberRK/dev/.1addr > -rw-r--r-- 834/xfs 21 1999-09-09 08:48 CyberRK/dev/.1logz > -rw-r--r-- 834/xfs 60 2001-02-28 21:22 CyberRK/dev/.1proc > -rw-r--r-- 834/xfs 72 2000-06-16 21:55 CyberRK/dev/.1file > -rwxr-xr-x 834/xfs 57452 1999-03-29 14:05 CyberRK/find > -rwxr-xr-x 834/xfs 18 2001-04-16 11:21 CyberRK/hack > -rwxr-xr-x 834/xfs 53364 2001-04-11 00:15 CyberRK/netstat > -rwxr-xr-x 834/xfs 4568 2000-09-13 03:43 CyberRK/pg > -rwxr-xr-x 834/xfs 13184 2000-08-22 11:28 CyberRK/pstree > -rw-r--r-- 834/xfs 100424 2000-08-23 07:47 CyberRK/ssh.tgz > -rwxr-xr-x 834/xfs 1382 2000-07-24 23:07 CyberRK/sz > -rwxr-xr-x 834/xfs 7724 2001-05-22 23:03 CyberRK/t0rn > -rwxr-xr-x 834/xfs 266140 1999-04-03 10:09 CyberRK/top > -rwx------ 834/xfs 7165 1998-08-06 03:36 CyberRK/linsniffer > -rwx------ 834/xfs 75 1999-10-28 14:11 CyberRK/logclear > -rwxr-xr-x 834/xfs 4060 1999-03-05 06:59 CyberRK/sense > -rwx------ qmaill/502 8268 1999-10-16 06:13 CyberRK/sl3 > drwxr-xr-x 711/users 0 2001-05-22 23:03 CyberRK/.t0rn/ > .. end of list ... > I recently found the same thing on one of my machines. drwxr-xr-x 4 834 xfs 1024 May 23 06:03 CyberRK drwxr-xr-x 2 834 xfs 1024 Sep 13 2000 dev -rwxr-xr-x 1 834 xfs 57452 Mar 29 1999 find -rwxr-xr-x 1 834 xfs 18 Apr 16 18:21 hack -rwx------ 1 834 xfs 7165 Aug 6 1998 linsniffer -rwx------ 1 834 xfs 75 Oct 28 1999 logclear -rwxr-xr-x 1 834 xfs 53364 Apr 11 07:15 netstat -rwxr-xr-x 1 834 xfs 4568 Sep 13 2000 pg -rwxr-xr-x 1 834 xfs 13184 Aug 22 2000 pstree -rwxr-xr-x 1 834 xfs 4060 Mar 5 1999 sense -rwx------ 1 qmaill 502 8268 Oct 16 1999 sl3 -rw-r--r-- 1 834 xfs 100424 Aug 23 2000 ssh.tgz -rwxr-xr-x 1 834 xfs 1382 Jul 25 2000 sz -rwxr-xr-x 1 834 xfs 7724 May 23 06:03 t0rn -rwxr-xr-x 1 834 xfs 266140 Apr 3 1999 top
This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 16:04:08 PDT