Security Incidents mailing list archives
Re: New Rootkit?
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Thu, 16 Oct 2003 17:44:08 +0200
On Thu Oct 16 09:38:54 2003 Jonas Frey (Probe Networks) wrote:
I've put up the files for further analysis at: http://81.2.144.1/rootkit/
Looks like a modified version of suckit: $ strings init | grep -i suckit Suckit uninstalled sucesfully! $ strings init | grep -i fuck FUCK: Can't allocate raw socket (%d) FUCK: Can't fork child (%d) FUCK: Failed to uninstall (%d) FUCK: Failed to hide pid %d (%d) FUCK: Failed to unhide pid %d (%d) FUCK: Can't open %s for read/write (%d) FUCK: IDT table read failed (offset 0x%08x) FUCK: Can't find sys_call_table[] FUCK: Can't find kmalloc()! FUCK: Can't read syscall %d addr FUCK: Out of kernel memory! FUCK: Got signal %d while manipulating kernel! SuckIT ( http://hysteria.sk/sd/f/suckit ) was published in Phrack #58. It doesn't depend on loadable kernel module support, works via /dev/kmem... "at" looks like imp: "Imp is a denial of service tool which sends SYN floods. Some people call this one slice3. Dynamically linked with libc5. By Sinkhole." [from http://packetstormsecurity.nl/DoS/] HTH, thorsten
Attachment:
_bin
Description:
Current thread:
- New Rootkit? Frey (Probe Networks) (Oct 16)
- Re: New Rootkit? Thorsten Holz (Oct 16)
- Re: New Rootkit? Eoghan Casey (Oct 16)
- Re: New Rootkit? Alvin Wong (Oct 17)
- Re: New Rootkit? Russell Harding (Oct 19)
- Re: New Rootkit? Alvin Wong (Oct 17)
- Re: New Rootkit? Jeffrey Denton (Oct 16)