Hi all. I found a rootkit named "illogic" on a recently compromised Redhat 7.2 Honeypot. Searches on google and altavista revealed nothing, but a search on google groups relvealed 1 news article which originated from russia. Anyone seen this before? It appears the attacker left a copy of the illogic.tgz file intact on my honeypot. Last night I did some quick forensics, and discovered the following things about this rootkit: * Contains the Adore rootkit * Contains many trojaned binaries (sshd, syslog, etc) * Contains several ./massrooting tools (ssh, lpd, wuftpd) * Contains DDoS tools * And much more. This is all in 1 package, about a megabyte in size. From my tcpdump logs i also traced the FTP server from which this was downloaded. I also obtained the attackers username/password for the aforementioned FTP site. I will publish the rootkit on my personal web site sometime later today. - Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: danat_private Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: infoat_private Web: http://www.jackies.com.au ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 19 2002 - 09:45:20 PDT