Just caught a variant of yoyo, a linux rookit based on lrk. http://security.alldas.mirror.widexs.nl/analysis/?aid=2 Has anyone dealt with yoyo? The system in question will be getting a fresh install of Redhat but I'm curious about some of the symptoms seen. 1) The backdoor was loaded from /usr/lib/setup via /etc/rc.d/rc.local *AND* /etc/rc.d/rc.sysinit. Both files were cleaned and the backdoor removed. Upon reboot, rc.local and rc.sysinit were modified again - this time they were chattr'ed. 2) Does this rootkit affect rpm databases? Rpm was serious broke after the rootkit. 3) When all visable signs of the rootkit were removed, rpms were refreshed from r/o media, and the system was rebooted, an interesting behavior was observed: logging in as root lsof | grep 3409 show nothing netstat -apm | grep 3409 nothing would be displayed a minute later, netstat would show up with a PID in 800-820 range and would appear to be bound to udp/3409. probes to 3409/udp from an external machine would fail. the port appears bound but doesn't respond to network requests this behavior would continue with any other processes started by root 4) Is yoyo an LKM? Finally, have any php exploits been associated with yoyo? While researching yoyo, I found some hidden directories with phpscan and some other php-named utilities. The system is getting a fresh installation shortly, but curiousity has gotten to me. Regards, -gordon ---------------------------------------------------------------------------- Do you know the base address of the Global Offset Table (GOT) on a Solaris 8 box? CORE IMPACT does. www.securityfocus.com/core
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 15:30:49 PST