Shawn, it seems to be the Adore Rootkit. There is a complete Analysis of this Rootkit on the following link : http://www.sans.org/y2k/the_compromise.htm It describes also that a root@NoraD is being created. hope that helps ! cheers Johnny.Cyberpunkat_private ----- Original Message ----- From: "SecLists" <listsat_private> To: <incidentsat_private> Sent: Wednesday, June 06, 2001 6:54 PM Subject: solaris rootkit investigation > Hello all... > > First time posting to the list here... > > One of our customers who we do security services for when they are needed > recently had a Solaris 7 box compromised. There appears to be a rootkit > installed that opens an ssh daemon on port 27354 with a sshd_host_key.pub > of: > > ...root@NoraD > > has anyone seen this before? or has any info on it? ie, what binaries have > been trojaned, what files have been replaced, etc.?? > > Thanks, > > Shawn Duffy >
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 15:38:53 PDT