Security Incidents mailing list archives
illogic rootkit
From: Dan Irwin <dan () jackies com au>
Date: Fri, 19 Apr 2002 14:21:01 +1000
Hi all. I found a rootkit named "illogic" on a recently compromised Redhat 7.2 Honeypot. Searches on google and altavista revealed nothing, but a search on google groups relvealed 1 news article which originated from russia. Anyone seen this before? It appears the attacker left a copy of the illogic.tgz file intact on my honeypot. Last night I did some quick forensics, and discovered the following things about this rootkit: * Contains the Adore rootkit * Contains many trojaned binaries (sshd, syslog, etc) * Contains several ./massrooting tools (ssh, lpd, wuftpd) * Contains DDoS tools * And much more. This is all in 1 package, about a megabyte in size.
From my tcpdump logs i also traced the FTP server from which this was
downloaded. I also obtained the attackers username/password for the aforementioned FTP site. I will publish the rootkit on my personal web site sometime later today. - Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: dan () jackies com au Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: info () jackies com au Web: http://www.jackies.com.au ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- illogic rootkit Dan Irwin (Apr 19)
- <Possible follow-ups>
- RE: illogic rootkit Dan Irwin (Apr 21)
- RE: illogic rootkit Dan Irwin (Apr 21)
- Rootkit or trojan Jason Robertson (Apr 23)