Hi, i guess its the "tuxkit" rootkit, which the attacker has installed on ur machine. This rootkit as to my knowledge, opens up an ssh shell , replaces the binaries ps,ls,su etc etc. U might get some pointers on google if u search for tuxkit. Its a relatively new rootkit...well not that new right now..!! Hope that helps. Cheers, -Kartik. > I was trying to fix up a crashed Red Hat linux 7.2 server for a client today, and > after a bit of fiddling discovered what looks pretty clearly like a > rootkit. It had files stored in /dev/\ \ \ , modified a bunch of > binaries including su, netstat, ls, ps, and ifconfig, and installed some > sort of sshd trojan in a whole bunch of places. Sound familiar to > anyone? (ie, who knows where I can learn more about it?) > > While cleaning up the mess with that, things still weren't working so I > looked farther and discovered ANOTHER bunch of covert directories, > called /dev/.id, /dev/.sh and /dev/.so (IIRC). These were linked to an > entry in the rc.local boot script which powered up something in /dev/.id > (didn't have time to note the details yet, sorry). > > Anyone hear of these? Is this one rootkit or more than one? > > -- > Steve Bougerolle > Creek & Cowley Consulting > > http://www.creek-and-cowley.com > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 10:28:08 PDT