Re: spanish rootkit

[John Yang <jyang () BLACKBOARD COM>]

Here's a copy that I ran through babel.altavista.com



John Yang
Web Engineering Manager
Blackboard Inc.
jyang () blackboard com
http://www.blackboard.com



> -----Original Message-----
> From: Vitaly Osipov [mailto:vos () TELENOR CZ]
> Sent: Wednesday, September 20, 2000 8:43 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: spanish rootkit
>
>
> Hi all,
>
> I was observing one computer - seems like it was rooted at
> least two times
> by different people (last one was from greece). First crack I
> guess came
> from bind exploit... First was somewhat unknown - I guess
> kind of tornkit or
> even it's parent (files are dated 15 Aug early a.m., mostly
> trojaning ps,
> dir, du, vdir, netstat, ifconfig) Second one is much more
> interesting - it
> even uses kernel module for hiding processes/listening ports
> (module is
> called adore.o). And it is written somewhere in Spain - I attach it's
> install script (rootkit itself is charbd.tar.gz). Is it
> something known or
> more or less new? And can somebody please translate the
> comments from that
> script?
>
> regards,
> Vitaly.

Attachment: hack
Description: