Security Incidents mailing list archives

another rootkit

From: Alvin Oga <alvin.sec () Mail Linux-Consulting com>
Date: Fri, 1 Jun 2001 23:23:52 -0700 (PDT)


hi ya

i found this today in one of my machines...

sorta harmless that it installed itself and used up all of the
root partition with a 20Mb killall file... 

i've since cleaned up the directories etc...

just was curious why i couldnt find any references on
any of the "unique" keywords ( maniac-Rk, grabb, ipz.gz ...

c ya
alvin
http://www.Linux-Sec.net

-- it changed netstat, ls, top, ifconfig with its versions
-- it added /usr/bin/geqn, /usr/sbin/mailrc, /usr/lib/.ark?


cd /dev/..\?.
-------------
ls -laR
.:
total 128
drwxr-xr-x   3 root     root         1024 Jun  1 04:49 ./
drwxr-xr-x   7 root     root        27648 Jun  1 18:03 ../
drwxr-xr-x   2 root     root         1024 Jun  1 04:48 maniac-Rk/
-rwxr-xr-x   1 root     root        98924 Jun  1 04:40 tar*

maniac-Rk:
total 236
drwxr-xr-x   2 root     root         1024 Jun  1 04:48 ./
drwxr-xr-x   3 root     root         1024 Jun  1 04:49 ../
-rwxr-xr-x   1 root     root         5043 Mar 23 07:18 addlen*
-rw-r--r--   1 root     root         5744 May 31 10:10 adore.o
-rwxr-xr-x   1 root     root        14248 May 31 10:10 ava*
-rwxr-xr-x   1 root     root        20445 Apr  2 12:24 bnc.gz*
-rwxr-xr-x   1 root     root         1080 Mar 23 07:48 clear_logs*
-rwxr-xr-x   1 root     root         7985 Mar 23 07:38 fix*
-rwxr-xr-x   1 root     root        10171 May  4 12:39 grabbb.gz*
-rwxr-xr-x   1 root     root         5220 Jun  1 18:53 install.sh*
-rwxr-xr-x   1 root     root         4734 May  8 10:04 ipz.gz*
-rwxr-xr-x   1 root     root        10496 Mar 23 07:48 pine.out*
-rwxr-xr-x   1 root     root        15335 May 31 09:58 ping*
-rwxr-xr-x   1 root     root         9070 May  4 11:55 slice*
-rw-r--r--   1 root     root        19700 Jun  1 18:03 snifflog
---s--s--x   1 root     root        11869 Apr  4 19:10 sush*
-rwxr-xr-x   1 root     root        14319 May 31 10:05 tty*
-rwxr-xr-x   1 root     root        12405 May 31 09:38 vanish2.gz*
-rwxr-xr-x   1 root     root        58068 May 19 06:58 wget.gz*
#
# end oflist...

Current thread:

another rootkit Alvin Oga (Jun 02)
- Re: another rootkit Michal Zalewski (Jun 03)
  - Re: another rootkit Alvin Oga (Jun 03)
    - Re: another rootkit - one more file Alvin Oga (Jun 03)