Re: Rootkit

["Bruce Ediger" <eballen1 () qwest net>]

On Fri, 26 Sep 2003, David Hane wrote:

> I recently had a machine get hacked before I could finish installing all the
> damn remote-root exploit patches that have been released in the last week.
> I've done the forensics and I know how they got in and what they did but I
> would like to know what rootkit they used.

In a later message, you said it was a Solaris rootkit.  Not all Solaris
root kits have a name:

http://groups.google.com/groups?q=Ediger+rootkit+solaris&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=tPLT6.31%244Y4.88875%40news.uswest.net&rnum=1

The rootkit I found was a combo of tradey/dor's rootkit and the Universal
Root Kit.

Based on a couple of other accounts:
http://www.cert.org/advisories/CA-2001-05.html
http://ouah.kernsh.org/comp_sys.htm
and some personal communications, the rootkit I found was used in the wild
for quite a while, and it was under continuous development.

I even wrote an email to tragedy/dor, hinting that I'd like to have looked
at the code.  I offered suggestions for improving the rootkit as kind of
a quid pro quo.  He/she/it/they wrote back saying that the source got lost
in a server crash.

Anyway, the point is that at least one root kit for Solaris is floating
around, has been for a few years, yet it doesn't have a snappy name.
For example, it's not really too clear if even the latest chkrootkit would
find the tragedy/dor Solaris rootkit - chkrootkit did not find it back
in April of 2001.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html