RE: illogic rootkit

From: Dan Irwin (danat_private)
Date: Sun Apr 21 2002 - 13:47:08 PDT

Next message: Dan Irwin: "RE: illogic rootkit"

Previous message: Weber, Markus: "Anyone caught a packet of ... ?"
Maybe in reply to: Dan Irwin: "illogic rootkit"
Next in thread: Dan Irwin: "RE: illogic rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here it is:

http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz


Output from Installer:

http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt

chkrootkit output:

http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log


Sorry for the delay. I wanted to post this using my work account to avoid
any confusion, and i dont work on weekends.

- Dan.



--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danat_private
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infoat_private
Web: http://www.jackies.com.au


-----Original Message-----
From: Dan Irwin [mailto:danat_private]
Sent: Friday, 19 April 2002 2:21 PM
To: 'incidentsat_private'
Subject: illogic rootkit


Hi all.

I found a rootkit named "illogic" on a recently compromised Redhat 7.2
Honeypot. Searches on google and altavista revealed nothing, but a search on
google groups relvealed 1 news article which originated from russia.

Anyone seen this before?

It appears the attacker left a copy of the illogic.tgz file intact on my
honeypot. Last night I did some quick forensics, and discovered the
following things about this rootkit:

 * Contains the Adore rootkit
 * Contains many trojaned binaries (sshd, syslog, etc)
 * Contains several ./massrooting tools (ssh, lpd, wuftpd)
 * Contains DDoS tools
 * And much more.

This is all in 1 package, about a megabyte in size.

From my tcpdump logs i also traced the FTP server from which this was
downloaded. I also obtained the attackers username/password for the
aforementioned FTP site.

I will publish the rootkit on my personal web site sometime later today.


- Dan.






--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danat_private
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infoat_private
Web: http://www.jackies.com.au


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dan Irwin: "RE: illogic rootkit"
Previous message: Weber, Markus: "Anyone caught a packet of ... ?"
Maybe in reply to: Dan Irwin: "illogic rootkit"
Next in thread: Dan Irwin: "RE: illogic rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Apr 21 2002 - 19:27:07 PDT