Full Disclosure mailing list archives
Re: a little help needed with identifying a rootkit
From: jan.muenther () nruns com
Date: Tue, 13 Jan 2004 20:41:29 +0100
Howdy, I basically have *no* time at the moment, so I just had a very very quick look at these things.
The biggest file you can find on this machine in this directory is a gzipped file which probably contains a rootkit of some sort. The SuSE list is still trying to figure out what the rest does/is and how this fits into the "big picture".
'i' is a statically linked version of the do_brk() local root exploit. Both i.txt and ii.txt appear to be some php injection 'exploits'. 'n' is a statically linked version of netcat. 'rhs' appears to be a statically linked version of the 'rs.c' thingy, which kicks back a shell to a host/port that you specify. The perl scripts are amazingly lame backdoors. I have too much work to look at the rootkit, sorry. Hope that helps, J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- a little help needed with identifying a rootkit Tobias Weisserth (Jan 13)
- Re: a little help needed with identifying a rootkit jan . muenther (Jan 13)
- Re: a little help needed with identifying a rootkit Tobias Weisserth (Jan 13)
- Re: a little help needed with identifying a rootkit jan . muenther (Jan 13)