By using "strings" I have found that changed binaries to point to files inside /dev/tux directory. Judging by /dev/tux/ssh2/logo, the name of the rootkit is "Optic Kit". I couldn't find anything about it using Google. If somebody is interested, I can share needed information and the rootkit itself. I have made a copy of the rookit-related files that I found. wtmp was removed, and /var/log/messages was cleaned to remove references about attacker - e.g. FTP "connection opened" messages. We are going to reinstall the system, so please email me ASAP if you're interested to know any additional details. Vladimir Ivaschenko wrote about "xsf/xchk": > Hi, > > Today a RedHat 7.1 Linux machine of my friend was compromised. > I have just started investigating, so I don't have any > information of how it was done. After attack login via console > stopped working. > > I have found the following files in /usr/bin: xchk and xsf. They > are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon > sitting on port 14859. I don't know what is the purpose of xchk. > killall and ps were also replaced by programs which hide xsf and > xchk. > > Does anyone saw something similar before and can point me to some > information? I tried searching for xsf / xchk in Google and > didn't have any results. > > -- > Best Regards > Vladimir Ivaschenko > Certified Linux Engineer (RHCE) -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 13:56:09 PST