Security Incidents mailing list archives

Re: solaris rootkit investigation

From: "Johnny Cyberpunk" <johncybpk () gmx net>
Date: Wed, 6 Jun 2001 22:56:01 +0200

Shawn,

it seems to be the Adore Rootkit.

There is a complete Analysis of this Rootkit on the following link :

http://www.sans.org/y2k/the_compromise.htm


It describes also that a root@NoraD is being created.


hope that helps !


cheers

Johnny.Cyberpunk () illegalaccess org



----- Original Message -----
From: "SecLists" <lists () secure stargate net>
To: <incidents () securityfocus com>
Sent: Wednesday, June 06, 2001 6:54 PM
Subject: solaris rootkit investigation

Hello all...

First time posting to the list here...

One of our customers who we do security services for when they are needed
recently had a Solaris 7 box compromised. There appears to be a rootkit
installed that opens an ssh daemon on port 27354 with a sshd_host_key.pub
of:

...root@NoraD

has anyone seen this before? or has any info on it? ie, what binaries have
been trojaned, what files have been replaced, etc.??

Thanks,

Shawn Duffy

Current thread:

solaris rootkit investigation SecLists (Jun 06)
- Re: solaris rootkit investigation Johnny Cyberpunk (Jun 06)
- <Possible follow-ups>
- RE: solaris rootkit investigation Dave Salovesh (Jun 06)