Security Basics mailing list archives
Re: optic rootkit / xsf/xchk?
From: Leonardo Piacentini <l.piacentini () email it>
Date: Sat, 1 Nov 2003 01:13:56 +0100
Wed, 29 Oct 2003 16:55:24 +0100 Jan De Luyck <ml () kcore org> ha scritto:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Recently one of the rather old linux-boxes at my company got into trouble (didn't know it existed earlier). Did some checking, and the box has been rooted. I've been looking for more information on this rootkit, but I have been unable to find anything besides this: http://cert.uni-stuttgart.de/archive/incidents/2002/01/msg00148.html So I'm wondering if anyone can tell me some more about this thing? Reinstallation is planned to happen soon. Thanks. Jan
A lot of times it happens that there are rootkits which are not "standard", like t0rn, tux, etc... but they are restricted to a crew or something else. They could be made from modified binaries and other stuff taken from those kits anyway. I'd suggest you to keep an md5sum for binaries and system config files under /etc. Check also the presence of lkm. Leo --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: optic rootkit / xsf/xchk? Leonardo Piacentini (Nov 03)