Modified Ramen found in the wild

[Ryan Hilton <darkmoon () TIRKZILLA COM>]

Well, it looks like it didn't take long for the ramen worm to be modified. I
have found in the wild (read: been compromised by) a modified ramen worm with
a larger set of exploits and a rootkit.

The rootkit in question has received a bit of publicity on the security focus
lists lately, the name of it is knark (version 0.59) which is a LKM based
rootkit capable of hiding files and directories (/lib/hack in this case),
network connections (all to and from port 5555) and various other aspects.
The kit also contains a trojan version of sshd, a scanners called pscan and
ben which appears to look for vulnerable RPC services, a wu-ftpd scanner and
exploits, bind 8.2 scanner (porkbind) and exploit, an ftp server which I
believe is called muddleftpd, and a few other utilities which I cannot recall
at the moment and since the file was destroyed I was unable to get the data.

To find this worm, if not modified, try to ssh to port 5555 of your machines
and see if you get a prompt or look for a directory called /proc/knark (which
is a hidden directory, /proc/knark/pids will show hidden processes).

Ryan
--
==============================================
Ryan Hilton                                         Uber-Geeks.net
darkmoon () tirkzilla com          http://www.uber-geeks.net
                 "No answer is also an answer"
==============================================