At 16:40 26-11-2001 -0500, you wrote: > > Can you tell us more about what programs were altered and >what directories you found the rootkit in? Sure. They tried to alter ps, dir, top, slocate, lsof, ifconfig, netstat, md5sum, pstree, sylogd, in.fingerd, ls and installed a trojaned ssh. Most modifucations failed due the immutable bit which is set on most important binaries. Also xntps was installed which is a trojaned ssh deamon. The xntps read it's config file from /lib/lblip.tk and listened on the port 48883. Also installed (but not used on my system) were libproc.a and libproc.so version 2.0.6. I guess they are installed to hide some process. In /lib/ldd.so/ i found the patch script and a file called td. Strings revealed that it is some kind of testing program but i don't know for sure. Well, that's it so far. I'm currently looking for more suspicious things. Luckily they installed programs which require glibc, which doesn't exists on the system. So searching for the string GLIBC reveals a lot. If you like i can send you the whole stuff i've found so far. Greetings, Patrick van Zweden -- "Warning: you are logged into reality as root..." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 14:30:37 PST