Educause Security Discussion mailing list archives
linux rootkit problems
From: Kevin Shalla <Kevin.Shalla () IIT EDU>
Date: Mon, 7 Apr 2003 11:02:29 -0500
I've heard from a colleague about the following problem. It turns out that the hacker somehow installs a rootkit, changes the init files, changes the kernel, and does keystroke logging and sniffing, searching for usernames and passwords on other systems. Then he logs into those other systems and does the same thing. It's unclear how as a regular user he obtains root, but that seems to be what's happening. My colleague says that it's been reported at CERN, Argonne National Lab, and others. Have any of you heard about this one?
The only signs the hacker was on the system are the existance of /sbin/initpoiuy which is the original /sbin/init file. /usr/include/security/poiuy/ a directory that contains a sniffer and log file These files are "hidden" by the kernel mods their init program load when it starts.
Kevin Shalla Manager, Student Information Systems Illinois Institute of Technology <mailto:Kevin.Shalla () iit edu> ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- linux rootkit problems Kevin Shalla (Apr 07)
- <Possible follow-ups>
- Re: linux rootkit problems H. Morrow Long (Apr 07)