Full Disclosure mailing list archives
Re: a little help needed with identifying a rootkit
From: Tobias Weisserth <tobias () weisserth de>
Date: Tue, 13 Jan 2004 21:14:02 +0100
Hi Jan, Am Die, den 13.01.2004 schrieb jan.muenther () nruns com um 20:41:
Howdy, I basically have *no* time at the moment, so I just had a very very quick look at these things.
Thanks for that quick look! :-)
The biggest file you can find on this machine in this directory is a gzipped file which probably contains a rootkit of some sort. The SuSE list is still trying to figure out what the rest does/is and how this fits into the "big picture".'i' is a statically linked version of the do_brk() local root exploit. Both i.txt and ii.txt appear to be some php injection 'exploits'. 'n' is a statically linked version of netcat. 'rhs' appears to be a statically linked version of the 'rs.c' thingy, which kicks back a shell to a host/port that you specify. The perl scripts are amazingly lame backdoors. I have too much work to look at the rootkit, sorry.
This is already more than I have hoped for. Thanks VERY much! I haven't had the chance to look at something like this in the past so these pointers really are speeding up things. Thanks. kind regards from Brussels, Tobias W. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- a little help needed with identifying a rootkit Tobias Weisserth (Jan 13)
- Re: a little help needed with identifying a rootkit jan . muenther (Jan 13)
- Re: a little help needed with identifying a rootkit Tobias Weisserth (Jan 13)
- Re: a little help needed with identifying a rootkit jan . muenther (Jan 13)