I've recently encountered a rootkit I've not seen before. It's a linux one that replaces a bunch of binaries in /bin (things like ls, cp, grep, hostname, df, dd, and a bunch of others). The feature I haven't seen before is that if you replace one of these binaries with a non-rootkit version, the file is re-replaced within seconds. Also, executing one of them (ls for instance) while the system is booted single user will cause network modules to be loaded, eth0 to be put in promiscuous mode, and a bunch of net-pf-14 module requests. Anyone else seen/encountered this? I have copies of the rootkit binaries, but no source, and I haven't had the time yet to put them on a disposable system and closely monitor what they do and how the re-replacement works. ---------------------------------------------------------------------- Jon Lewis *jlewisat_private*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sat Jun 28 2003 - 10:51:44 PDT