Re: optic rootkit / xsf/xchk?

[Leonardo Piacentini <l.piacentini () email it>]

Wed, 29 Oct 2003 16:55:24 +0100
Jan De Luyck <ml () kcore org> ha scritto:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> Recently one of the rather old linux-boxes at my company got into trouble 
> (didn't know it existed earlier). Did some checking, and the box has been 
> rooted.
>
> I've been looking for more information on this rootkit, but I have been unable 
> to find anything besides this:
>
> http://cert.uni-stuttgart.de/archive/incidents/2002/01/msg00148.html
>
> So I'm wondering if anyone can tell me some more about this thing?
>
> Reinstallation is planned to happen soon.
>
> Thanks.
>
> Jan

A lot of times it happens that there are rootkits which are not "standard", like t0rn, tux, etc... but they are 
restricted to a crew or something else. They could be made from modified binaries and other stuff taken from those kits 
anyway. I'd suggest you to keep an md5sum for binaries and system config files under /etc. Check also the presence of 
lkm.

Leo

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------