Full Disclosure mailing list archives
Re: Rootkit
From: "Bruce Ediger" <eballen1 () qwest net>
Date: Fri, 26 Sep 2003 17:43:02 -0600 (MDT)
On Fri, 26 Sep 2003, David Hane wrote:
I recently had a machine get hacked before I could finish installing all the damn remote-root exploit patches that have been released in the last week. I've done the forensics and I know how they got in and what they did but I would like to know what rootkit they used.
In a later message, you said it was a Solaris rootkit. Not all Solaris root kits have a name: http://groups.google.com/groups?q=Ediger+rootkit+solaris&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=tPLT6.31%244Y4.88875%40news.uswest.net&rnum=1 The rootkit I found was a combo of tradey/dor's rootkit and the Universal Root Kit. Based on a couple of other accounts: http://www.cert.org/advisories/CA-2001-05.html http://ouah.kernsh.org/comp_sys.htm and some personal communications, the rootkit I found was used in the wild for quite a while, and it was under continuous development. I even wrote an email to tragedy/dor, hinting that I'd like to have looked at the code. I offered suggestions for improving the rootkit as kind of a quid pro quo. He/she/it/they wrote back saying that the source got lost in a server crash. Anyway, the point is that at least one root kit for Solaris is floating around, has been for a few years, yet it doesn't have a snappy name. For example, it's not really too clear if even the latest chkrootkit would find the tragedy/dor Solaris rootkit - chkrootkit did not find it back in April of 2001. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Rootkit David Hane (Sep 26)
- RE: Rootkit Conrado Zelaya (Sep 26)
- Re: Rootkit B3r3n (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Danny Pansters (Sep 26)
- Re: Rootkit David Hane (Sep 26)
- Re: Rootkit Bruce Ediger (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 26)
- Re: Rootkit Soren Jacobsen (Sep 26)
- Re: Rootkit Paul Schmehl (Sep 26)
- Re: Rootkit Nate Hill (Sep 27)
- RE: Rootkit Marcus H. Sachs (Sep 26)
- RE: Rootkit Poof (Sep 26)
- <Possible follow-ups>
- Re: Rootkit kernelclue (Sep 26)
- Rootkit David Hane (Sep 26)
- RE: Rootkit Schmehl, Paul L (Sep 26)