Security Incidents mailing list archives
Re: spanish rootkit
From: John Yang <jyang () BLACKBOARD COM>
Date: Wed, 20 Sep 2000 16:07:46 -0400
Here's a copy that I ran through babel.altavista.com John Yang Web Engineering Manager Blackboard Inc. jyang () blackboard com http://www.blackboard.com
-----Original Message----- From: Vitaly Osipov [mailto:vos () TELENOR CZ] Sent: Wednesday, September 20, 2000 8:43 AM To: INCIDENTS () SECURITYFOCUS COM Subject: spanish rootkit Hi all, I was observing one computer - seems like it was rooted at least two times by different people (last one was from greece). First crack I guess came from bind exploit... First was somewhat unknown - I guess kind of tornkit or even it's parent (files are dated 15 Aug early a.m., mostly trojaning ps, dir, du, vdir, netstat, ifconfig) Second one is much more interesting - it even uses kernel module for hiding processes/listening ports (module is called adore.o). And it is written somewhere in Spain - I attach it's install script (rootkit itself is charbd.tar.gz). Is it something known or more or less new? And can somebody please translate the comments from that script? regards, Vitaly.
Attachment:
hack
Description:
Current thread:
- spanish rootkit Vitaly Osipov (Sep 20)
- Re: spanish rootkit Elias Levy (Sep 20)
- Re: spanish rootkit typo (Sep 21)
- charbd rootkit ( Re: spanish rootkit) Vitaly Osipov (Sep 22)
- <Possible follow-ups>
- Re: spanish rootkit John Yang (Sep 21)
- Re: spanish rootkit Martins, Fernando (Lisbon) (Sep 22)