Security Incidents mailing list archives
spanish rootkit
From: Vitaly Osipov <vos () TELENOR CZ>
Date: Wed, 20 Sep 2000 14:42:46 +0200
Hi all, I was observing one computer - seems like it was rooted at least two times by different people (last one was from greece). First crack I guess came from bind exploit... First was somewhat unknown - I guess kind of tornkit or even it's parent (files are dated 15 Aug early a.m., mostly trojaning ps, dir, du, vdir, netstat, ifconfig) Second one is much more interesting - it even uses kernel module for hiding processes/listening ports (module is called adore.o). And it is written somewhere in Spain - I attach it's install script (rootkit itself is charbd.tar.gz). Is it something known or more or less new? And can somebody please translate the comments from that script? regards, Vitaly.
Attachment:
hack
Description:
Current thread:
- spanish rootkit Vitaly Osipov (Sep 20)
- Re: spanish rootkit Elias Levy (Sep 20)
- Re: spanish rootkit typo (Sep 21)
- charbd rootkit ( Re: spanish rootkit) Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: spanish rootkit John Yang (Sep 21)
- Re: spanish rootkit Martins, Fernando (Lisbon) (Sep 22)