TuxKit1.0 and other rootkits

From: Rune Henssel (bugtraqat_private)
Date: Sun Feb 10 2002 - 16:32:20 PST

  • Next message: Jose Nazario: "Re: TuxKit1.0 and other rootkits" 

    Anybody know a RootKit called TuxKit1.0 and another kit that creates the following files:

-rw-r--r--    1 root     root          241 Jan 29 12:09 /dev/xdta
-rw-r--r--    1 root     root          146 Feb 10 18:46 /dev/xmx
drwxr-xr-x    3 root     root         4096 Feb 11 00:31 /usr/man/man1/..  /.dir
-rwxr-xr-x    1 root     root         7165 Sep 16  2000 /usr/man/man1/..  /.dir/snif
-rwx------    1 root     root           63 Sep 16  2000 /usr/man/man1/..  /.dir/klog
-rwx--x--x    1 root     root         8268 Oct 16  1999 /usr/man/man1/..  /.dir/crush
-rwxr-xr-x    1 root     root         4060 Mar  5  1999 /usr/man/man1/..  /.dir/create
-rwxr-xr-x    1 root     root        22173 Dec  9  2000 /usr/man/man1/..  /.dir/s
-rwxr-xr-x    1 root     root        37711 Dec  9  2000 /usr/man/man1/..  /.dir/w
-rw-r--r--    1 root     root     15853742 Feb 11 00:35 /usr/man/man1/..  /.dir/log
drwxr-xr-x    5 root     root         4096 Jun 20  2001 /usr/man/man1/..  /.dir/sc
drwxr-xr-x    2 mnk      501          4096 Mar 17  2001 /usr/man/man1/..  /.dir/sc/bindscan
-rwxr-xr-x    1 root     root        17971 Mar 11  2001 /usr/man/man1/..  /.dir/sc/bindscan/bind
-rwxr-xr-x    1 root     root        15781 Mar 11  2001 /usr/man/man1/..  /.dir/sc/bindscan/scan
-rwxr-xr-x    1 mnk      501           299 Mar  1  2001 /usr/man/man1/..  /.dir/sc/bindscan/try
-rw-r--r--    1 mnk      501          4780 Mar  4  2001 /usr/man/man1/..  /.dir/sc/bindscan/scan.c
-rw-r--r--    1 mnk      501           111 Mar  4  2001 /usr/man/man1/..  /.dir/sc/bindscan/xlist
-rwxr-xr-x    1 mnk      501           382 Mar  1  2001 /usr/man/man1/..  /.dir/sc/bindscan/r00t
-rw-r--r--    1 mnk      501          7692 Mar  1  2001 /usr/man/man1/..  /.dir/sc/bindscan/bind.c
drwxr-xr-x    2 root     root         4096 Jun 20  2001 /usr/man/man1/..  /.dir/sc/sc
-rwxr-xr-x    1 root     root        13067 Dec  1  2000 /usr/man/man1/..  /.dir/sc/sc/ben
-rwxr-xr-x    1 rasmusm  1000         1441 Aug 10  2000 /usr/man/man1/..  /.dir/sc/sc/ben.c
-rw-------    1 root     root        65536 Nov 30  2000 /usr/man/man1/..  /.dir/sc/sc/core
-rwxr-xr-x    1 root     root          112 Aug 10  2000 /usr/man/man1/..  /.dir/sc/sc/osscan
-rwxr-xr-x    1 rasmusm  1000         4444 Aug 10  2000 /usr/man/man1/..  /.dir/sc/sc/pscan.c
-rwxr-xr-x    1 root     root        15715 Nov 30  2000 /usr/man/man1/..  /.dir/sc/sc/scan
-rwxr-xr-x    1 root     root        15121 Nov 21  2000 /usr/man/man1/..  /.dir/sc/sc/wus
drwxr-xr-x    2 root     root         4096 Jun 20  2001 /usr/man/man1/..  /.dir/sc/lameru
-rwxr-xr-x    1 root     root         1586 Jan 29  2001 /usr/man/man1/..  /.dir/sc/lameru/lamer
-rwxr-xr-x    1 root     root        11632 Mar  4  2001 /usr/man/man1/..  /.dir/sc/lameru/statdx
-rwxr-xr-x    1 root     root         6468 Mar  4  2001 /usr/man/man1/..  /.dir/sc/lameru/scan-a

We have have 2 servers, one have been infected by TuxKit1.0 and the other one by this unknown kit.

Any help would be greatly appriciated.


Rune Henssel
System Administrator


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 09:39:22 PST