Re: linux 'zoot' rootkit/DoSkit/etc

[Fredrik Ostergren <fredrik.ostergren () freebox com>]

In-Reply-To: <20011203205521.A8216 () roqe org>

> On Mon, Dec 03, 2001 at 12:01:52AM -0800, James 
W. Abendschan wrote:
> > A RedHat Linux 6.2 box (**far** outside of my 
care) had some interesting
> > things done to it-- missing binaries and a 
nonexistent RPM database,
> > among other oddities.  Closer examination 
revealed a happy little
> > toolkit (aptly named 'zoot') which included the 
typical mishmash of
> > trojan programs, IRC bots, DoS tools, LKM, 
sniffer, etc., etc.
> I don't believe this toolkit of trojans is called "zoot".  
Every RedHat
> Linux release goes with a unique name and 
*suprise* RedHat Linux 6.2 is
> titled "zoot" and for example RedHat Linux 7.2 is 
called "enigma".
> I am sure the files have been ported to the "zoot" 
release, but are
> initially comming from another rootkit. Maybe you 
can investigate the files
> more closely and report if you stumble upon any 
other name except "zoot" 
> ;)
>
> Regards,
> Konrad

Looks like a t0rnkit clone to me. The rootkit binaries 
for ls/ps/etc are typical pre-compiled t0rnkit binaries. 
Also the psybnc and other tools are commonly used 
in those kits. Check the files in the psybnc directory, it 
will give you logs from the people that have used the 
bnc, it's a really great resource, the attackers *never* 
clean those. Not more to add I guess, good luck.

/ Fredrik

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com