I was trying to fix up a crashed Red Hat linux 7.2 server for a client today, and after a bit of fiddling discovered what looks pretty clearly like a rootkit. It had files stored in /dev/\ \ \ , modified a bunch of binaries including su, netstat, ls, ps, and ifconfig, and installed some sort of sshd trojan in a whole bunch of places. Sound familiar to anyone? (ie, who knows where I can learn more about it?) While cleaning up the mess with that, things still weren't working so I looked farther and discovered ANOTHER bunch of covert directories, called /dev/.id, /dev/.sh and /dev/.so (IIRC). These were linked to an entry in the rc.local boot script which powered up something in /dev/.id (didn't have time to note the details yet, sorry). Anyone hear of these? Is this one rootkit or more than one? -- Steve Bougerolle Creek & Cowley Consulting http://www.creek-and-cowley.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 25 2002 - 08:42:27 PDT