Security Incidents mailing list archives
Re: Solaris hack
From: Christopher Samuel <C.Samuel () eris dera gov uk>
Date: Mon, 4 Mar 2002 10:36:12 +0000
-----BEGIN PGP SIGNED MESSAGE----- On Thursday 28 Feb 2002 9:29 pm, Steve Huston wrote:
I just got one of these too; upon booting from CD and doing a little poking around, I found in /usr/lib/vold/nsdap the file 'defines', which contained the following: ====== # Edit these # Dir to install rootkit in RKDIR="/usr/lib/vold/nsdap" # Your email address EMAIL="bert.smith () mbox bol bg" # debug mode on or off DEBUG=0
[...] Google is your friend - doing a search for that email address picks up two links to the Honeynet project, both for results for the Scan of the Month #16. The most interesting of the two is: http://project.honeynet.org/scans/scan16/som/som34.html by "Solar Eclipse". The useful text is: This looks like our rootkit. According to the README it was written by Tragedy/Dor <bert.smith () mbox bol bg>. I send an email to this address and Dor was kind enough to send me the binaries of his rootkit - k.tar.gz. I have not analyzed the rootkit in depth, since this is not the objective of Scan 16, but I looked at the installation script. It writes out the configuration to a temporary file and then obfuscates it with a crypt program, included in the rootkit. By disassembling the crypt binary with IDA Pro I found out that it simply reads the file, NOTs every byte and writes it out. My cryptanalysis appears to be correct. The link "k.tar.gz" to the rootkit in the above is broken, though. HTH, HAND, Chris - -- Christopher Samuel [dstl] +44 1684 771134 L007, DSTL, St Andrews Road, Malvern, UK - DSTL is part of the UK MoD DISCLAIMER: The views expressed above are just those of the author and do not represent the views, policy or understanding of any other entity -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBPINOIVJ7nmUlvnM9AQHe4wP/XKD7BKv4NN07bCmGsGYS4nKs8q11QCFn UBXVdiSAB1+UrPB+dg/6rp+N7nndmDKihRXc43SHs7fme/aHLXmEHfbUpgjwbL9N 0HvBsK3zLQ7radjkHMGH/5o/F9DtP04ekW+sNmRzV2Mnma2pbwVexGwjaKDsPqYd xB93/jwoz/o= =rN0U -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Solaris hack Christopher Samuel (Mar 04)