spanish rootkit

[Vitaly Osipov <vos () TELENOR CZ>]

Hi all,

I was observing one computer - seems like it was rooted at least two times
by different people (last one was from greece). First crack I guess came
from bind exploit... First was somewhat unknown - I guess kind of tornkit or
even it's parent (files are dated 15 Aug early a.m., mostly trojaning ps,
dir, du, vdir, netstat, ifconfig) Second one is much more interesting - it
even uses kernel module for hiding processes/listening ports (module is
called adore.o). And it is written somewhere in Spain - I attach it's
install script (rootkit itself is charbd.tar.gz). Is it something known or
more or less new? And can somebody please translate the comments from that
script?

regards,
Vitaly.

Attachment: hack
Description: