Security Incidents mailing list archives
Re: linux 'zoot' rootkit/DoSkit/etc
From: Fredrik Ostergren <fredrik.ostergren () freebox com>
Date: 5 Dec 2001 03:48:33 -0000
In-Reply-To: <20011203205521.A8216 () roqe org>
On Mon, Dec 03, 2001 at 12:01:52AM -0800, James
W. Abendschan wrote:
A RedHat Linux 6.2 box (**far** outside of my
care) had some interesting
things done to it-- missing binaries and a
nonexistent RPM database,
among other oddities. Closer examination
revealed a happy little
toolkit (aptly named 'zoot') which included the
typical mishmash of
trojan programs, IRC bots, DoS tools, LKM,
sniffer, etc., etc.
I don't believe this toolkit of trojans is called "zoot".
Every RedHat
Linux release goes with a unique name and
*suprise* RedHat Linux 6.2 is
titled "zoot" and for example RedHat Linux 7.2 is
called "enigma".
I am sure the files have been ported to the "zoot"
release, but are
initially comming from another rootkit. Maybe you
can investigate the files
more closely and report if you stumble upon any
other name except "zoot"
;) Regards, Konrad
Looks like a t0rnkit clone to me. The rootkit binaries for ls/ps/etc are typical pre-compiled t0rnkit binaries. Also the psybnc and other tools are commonly used in those kits. Check the files in the psybnc directory, it will give you logs from the people that have used the bnc, it's a really great resource, the attackers *never* clean those. Not more to add I guess, good luck. / Fredrik ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 03)
- Re: linux 'zoot' rootkit/DoSkit/etc Konrad Rieck (Dec 03)
- Re: linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 05)
- Re: linux 'zoot' rootkit/DoSkit/etc James W. Abendschan (Dec 05)
- <Possible follow-ups>
- Re: linux 'zoot' rootkit/DoSkit/etc Fredrik Ostergren (Dec 05)
- Re: linux 'zoot' rootkit/DoSkit/etc Konrad Rieck (Dec 03)