Security Incidents mailing list archives
RE: illogic rootkit
From: Dan Irwin <dan () jackies com au>
Date: Mon, 22 Apr 2002 06:47:08 +1000
Here it is: http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz Output from Installer: http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt chkrootkit output: http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log Sorry for the delay. I wanted to post this using my work account to avoid any confusion, and i dont work on weekends. - Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: dan () jackies com au Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: info () jackies com au Web: http://www.jackies.com.au -----Original Message----- From: Dan Irwin [mailto:dan () jackies com au] Sent: Friday, 19 April 2002 2:21 PM To: 'incidents () securityfocus com' Subject: illogic rootkit Hi all. I found a rootkit named "illogic" on a recently compromised Redhat 7.2 Honeypot. Searches on google and altavista revealed nothing, but a search on google groups relvealed 1 news article which originated from russia. Anyone seen this before? It appears the attacker left a copy of the illogic.tgz file intact on my honeypot. Last night I did some quick forensics, and discovered the following things about this rootkit: * Contains the Adore rootkit * Contains many trojaned binaries (sshd, syslog, etc) * Contains several ./massrooting tools (ssh, lpd, wuftpd) * Contains DDoS tools * And much more. This is all in 1 package, about a megabyte in size.
From my tcpdump logs i also traced the FTP server from which this was
downloaded. I also obtained the attackers username/password for the aforementioned FTP site. I will publish the rootkit on my personal web site sometime later today. - Dan. -- Dan Irwin - Systems Administrator Jackie's Wholesale Nurseries Pty Ltd Email: dan () jackies com au Phone: 07 3888 2481 Fax: 07 3888 2530 Postal: 10 Gleeson Road Burpengary Queensland 4505 Email: info () jackies com au Web: http://www.jackies.com.au ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- illogic rootkit Dan Irwin (Apr 19)
- <Possible follow-ups>
- RE: illogic rootkit Dan Irwin (Apr 21)
- RE: illogic rootkit Dan Irwin (Apr 21)
- Rootkit or trojan Jason Robertson (Apr 23)