Re: Solaris hack

From: Christopher Samuel (C.Samuelat_private)
Date: Mon Mar 04 2002 - 02:36:12 PST

Next message: quentynat_private: "increase in ftp scanning"

Previous message: Tom Gerritsen: "Re: Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Thursday 28 Feb 2002 9:29 pm, Steve Huston wrote:

> I just got one of these too; upon booting from CD and doing a little poking
> around, I found in /usr/lib/vold/nsdap the file 'defines', which contained
> the following:
>
> ======
>
> # Edit these
> # Dir to install rootkit in
> RKDIR="/usr/lib/vold/nsdap"
> # Your email address
> EMAIL="bert.smithat_private"
> # debug mode on or off
> DEBUG=0
[...]

Google is your friend - doing a search for that email address picks up two 
links to the Honeynet project, both for results for the Scan of the Month #16.

The most interesting of the two is:

	http://project.honeynet.org/scans/scan16/som/som34.html

by "Solar Eclipse". The useful text is:

  This looks like our rootkit. According to the README it was written by
  Tragedy/Dor <bert.smithat_private>.  I send an email to this address
  and Dor was kind enough to send me the binaries of his rootkit - k.tar.gz.
  I have not analyzed the rootkit in depth, since this is not the objective
  of Scan 16, but I looked at the installation script. It writes out the
  configuration to a temporary file and then obfuscates it with a crypt
  program, included in the rootkit. By disassembling the crypt binary with
  IDA Pro I found out that it simply reads the file, NOTs every byte and
  writes it out. My cryptanalysis appears to be correct.

The link "k.tar.gz" to the rootkit in the above is broken, though.

HTH, HAND,
Chris
- -- 
Christopher Samuel               [dstl]                 +44 1684 771134
L007, DSTL, St Andrews Road, Malvern, UK  -  DSTL is part of the UK MoD
DISCLAIMER:  The views expressed above are just those of the author and
do not represent the views, policy or understanding of any other entity

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPINOIVJ7nmUlvnM9AQHe4wP/XKD7BKv4NN07bCmGsGYS4nKs8q11QCFn
UBXVdiSAB1+UrPB+dg/6rp+N7nndmDKihRXc43SHs7fme/aHLXmEHfbUpgjwbL9N
0HvBsK3zLQ7radjkHMGH/5o/F9DtP04ekW+sNmRzV2Mnma2pbwVexGwjaKDsPqYd
xB93/jwoz/o=
=rN0U
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: quentynat_private: "increase in ftp scanning"
Previous message: Tom Gerritsen: "Re: Rcon trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 22:07:48 PST