charbd rootkit ( Re: spanish rootkit)

[Vitaly Osipov <vos () TELENOR CZ>]

Hello all, I researched it a bit - looks like a combination of some old and
new tools...

This kit mixes use of kernel module (adore) for hiding processes with old
good trojaned  ifconfig (hide promisc flag) and netstat (hide
processes/connections by contents of /dev/ptyq)
also includes some simple backdoors (src is in file "pb") which execute
xterm upon commection (the password they chose is absolutely
unprononceable - you'll see it if you run strings on files)
it also trojans in.pop3d, tcpd, login with password "p3dr0*2k" and _maybe_
does something more with ifconfig because when i ran it, first time that new
ifconfig started rather slow :)
also installs some (icmp-based) trojan server  (file "server") - password
probably is "ph33rph33rph33r" - it is old stuff, sources that I have found
somewhere :) are dated  end of 1998 (by "chrak") - it executes a command
which it receives in data field of icmp packet.
also includes linsniffer (of course :) )

If you want to see chrak - he's at http://b4b0.org/chrak/

those who are interested can take a kit from
www.angelfire.com/linux/witt/charbd.gz

regards,
W.