Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

illogic rootkit

From: Dan Irwin <dan () jackies com au>
Date: Fri, 19 Apr 2002 14:21:01 +1000
Hi all.

I found a rootkit named "illogic" on a recently compromised Redhat 7.2
Honeypot. Searches on google and altavista revealed nothing, but a search on
google groups relvealed 1 news article which originated from russia.

Anyone seen this before?

It appears the attacker left a copy of the illogic.tgz file intact on my
honeypot. Last night I did some quick forensics, and discovered the
following things about this rootkit:

 * Contains the Adore rootkit
 * Contains many trojaned binaries (sshd, syslog, etc)
 * Contains several ./massrooting tools (ssh, lpd, wuftpd)
 * Contains DDoS tools
 * And much more.

This is all in 1 package, about a megabyte in size.


From my tcpdump logs i also traced the FTP server from which this was

downloaded. I also obtained the attackers username/password for the
aforementioned FTP site.

I will publish the rootkit on my personal web site sometime later today.


- Dan.






--
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: dan () jackies com au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: info () jackies com au
Web: http://www.jackies.com.au


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: