Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

linux rootkit problems

From: Kevin Shalla <Kevin.Shalla () IIT EDU>
Date: Mon, 7 Apr 2003 11:02:29 -0500
I've heard from a colleague about the following problem.  It turns out that
the hacker somehow installs a rootkit, changes the init files, changes the
kernel, and does keystroke logging and sniffing, searching for usernames
and passwords on other systems.  Then he logs into those other systems and
does the same thing.  It's unclear how as a regular user he obtains root,
but that seems to be what's happening.  My colleague says that it's been
reported at CERN, Argonne National Lab, and others.  Have any of you heard
about this one?


The only signs the hacker was on the system are the existance of
   /sbin/initpoiuy which is the original /sbin/init file.
   /usr/include/security/poiuy/ a directory that contains a sniffer and
log file
These files are "hidden" by the kernel mods their init program load
when it starts.



Kevin Shalla
Manager, Student Information Systems
Illinois Institute of Technology
<mailto:Kevin.Shalla () iit edu>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: