Security Incidents mailing list archives
Re: LJK2 rootkit?
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Tue, 16 May 2000 17:40:18 -0400
On Tue, 16 May 2000, Felix Schueren wrote:
sshconfig: total 574 drwxr-xr-x 2 root root 1024 May 16 07:53 ./ drwxr-xr-x 9 root root 1024 May 16 07:53 ../ -rwxr-xr-x 1 root root 580696 Feb 18 21:24 RK1ssh*
looks like a trivial variant of LRK4, yet again. *shrug* not a bad design for a rootkit, but heck, not perfect (obviously). looks like you know what you're doing for cleanup, but for some real fun, check the /root/.ssh/known-hosts file. often, 3133+ hax0r d00dz will forget to not log known hostkeys and it thus retains a list of hosts they connected to. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Lance Spitzner Audio interview on Forensics and Honeypots, (continued)
- Lance Spitzner Audio interview on Forensics and Honeypots Alfred Huger (May 17)
- Re: IP Black list? -- NONONONONONONONO!!! Richard Johnson (May 16)
- IP Black list - GET REAL Roelof Temmingh (May 15)
- Re: IP Black list? Jon Lewis (May 15)
- Re: IP Black list? Ed Padin (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? (Track yes, Block no) Bryan Andersen (May 16)
- You can now track Bugtraq via software (fwd) Alfred Huger (May 15)
- Re: IP Black list? jms (May 14)
- Re: IP Black list? Mike Shannon (May 15)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 16)
- IP blacklists phi-incident () EXORSUS NET (May 16)
- Re: LJK2 rootkit? Omachonu Ogali (May 16)
- Re: LJK2 rootkit? Jose Nazario (May 18)
- Re: LJK2 rootkit? Omachonu Ogali (May 18)
- LJK2 rootkit? Felix Schueren (May 16)
- Re: LJK2 rootkit? Jens Hektor (May 17)
- Re: LJK2 rootkit? Egon Barfuß jun. (May 17)
- Korea Damian Gerow (May 17)
- Re: IP Black list? Ryan Russell (May 16)
- Re: IP Black list? Tabor J. Wells (May 16)