Security Incidents mailing list archives
Re: Linux box 'infected' with RK15
From: Jim Roland <jroland () ROLAND NET>
Date: Wed, 21 Mar 2001 15:09:47 -0600
You have indeed been rootkitted. The most frequent service taken over is telnet, and the "normal" telnet service has been moved to a different port. You can try inquiring as to the listening ports with a "netstat -atn", however netstat and route are typically taken over and will hide these hijacked ports, if they did the rootkit was done completely. You can consider any binaries and /dev and /etc files on your system officially unusable. Restore from a backup, or hopefully you may have used a program called TripWire that will show you files that have been modified (tripwire creates a checksum of each file to inquire modifications). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Sean Kelly" <lists () SHORTESTPATH ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, March 20, 2001 4:52 PM Subject: Linux box 'infected' with RK15
Hello, I'm new to this list so please correct me if I step out line here :) I have just been handed a Linux web server at my new work place which appears to have been 'infected' with something called RK15 (Rootkit15, I believe). I'm pretty sure I know *how* they got in, but I'm more interested in *what* this RK15 does. I have the install script which installs precompiled binaries of utilities like ifconfig, top, ps, login - the usual for rootkits (it seems to mention some actual exploit binaries [t666, wu-exploit] but these are not on the system. There also appears to be a 'new' service listening on a TCP port which, when opened with telnet, returns a non-sensical string of about 8 characters and seems to be prompting for a response (sorry for the vagueness - I'm writing this from memory at the moment). Does anyone have any knowledge of this rootkit, or have any comments on the above? Thanks, -- Sean Kelly <lists () shortestpath org>
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)