Steve and all,
>rootkit. It had files stored in /dev/\ \ \ , modified a bunch of
>binaries including su, netstat, ls, ps, and ifconfig, and installed some
>sort of sshd trojan in a whole bunch of places. Sound familiar to
>anyone? (ie, who knows where I can learn more about it?)
Yeah, it fact it sounds like most rootkits I've seen.
>While cleaning up the mess with that, things still weren't working so I
>looked farther and discovered ANOTHER bunch of covert directories,
Sure, some kits deploy a sniffer in one place, sshd in another, adore
(have you found anyth kernel-level?) in yet another place.
>Anyone hear of these? Is this one rootkit or more than one?
It can be one or it can be more. If you had no Tripwire/integrity
checking software there is no way to _reliably_ find all traces of the
penetreation. In fact, even if you do have it - it is still not likely.
Rebuilding the box is the most popular advice given in this list ;-)
Best,
--
Anton A. Chuvakin, Ph.D., GCIA
http://www.chuvakin.org
http://www.info-secure.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 26 2002 - 08:38:12 PDT