Security Incidents mailing list archives
Re: linux 'zoot' rootkit/DoSkit/etc
From: Konrad Rieck <kr () roqe org>
Date: Mon, 3 Dec 2001 20:55:21 +0100
On Mon, Dec 03, 2001 at 12:01:52AM -0800, James W. Abendschan wrote:
A RedHat Linux 6.2 box (**far** outside of my care) had some interesting things done to it-- missing binaries and a nonexistent RPM database, among other oddities. Closer examination revealed a happy little toolkit (aptly named 'zoot') which included the typical mishmash of trojan programs, IRC bots, DoS tools, LKM, sniffer, etc., etc.
I don't believe this toolkit of trojans is called "zoot". Every RedHat Linux release goes with a unique name and *suprise* RedHat Linux 6.2 is titled "zoot" and for example RedHat Linux 7.2 is called "enigma". I am sure the files have been ported to the "zoot" release, but are initially comming from another rootkit. Maybe you can investigate the files more closely and report if you stumble upon any other name except "zoot" ;) Regards, Konrad -- Konrad Rieck <kr () roqe org> Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub -- Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 03)
- Re: linux 'zoot' rootkit/DoSkit/etc Konrad Rieck (Dec 03)
- Re: linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 05)
- Re: linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 05)
- <Possible follow-ups>
- Re: linux 'zoot' rootkit/DoSkit/etc Fredrik Ostergren (Dec 05)
- Re: linux 'zoot' rootkit/DoSkit/etc Konrad Rieck (Dec 03)