Security Incidents mailing list archives
Modified Ramen found in the wild
From: Ryan Hilton <darkmoon () TIRKZILLA COM>
Date: Fri, 16 Feb 2001 14:59:29 -0800
Well, it looks like it didn't take long for the ramen worm to be modified. I have found in the wild (read: been compromised by) a modified ramen worm with a larger set of exploits and a rootkit. The rootkit in question has received a bit of publicity on the security focus lists lately, the name of it is knark (version 0.59) which is a LKM based rootkit capable of hiding files and directories (/lib/hack in this case), network connections (all to and from port 5555) and various other aspects. The kit also contains a trojan version of sshd, a scanners called pscan and ben which appears to look for vulnerable RPC services, a wu-ftpd scanner and exploits, bind 8.2 scanner (porkbind) and exploit, an ftp server which I believe is called muddleftpd, and a few other utilities which I cannot recall at the moment and since the file was destroyed I was unable to get the data. To find this worm, if not modified, try to ssh to port 5555 of your machines and see if you get a prompt or look for a directory called /proc/knark (which is a hidden directory, /proc/knark/pids will show hidden processes). Ryan -- ============================================== Ryan Hilton Uber-Geeks.net darkmoon () tirkzilla com http://www.uber-geeks.net "No answer is also an answer" ==============================================
Current thread:
- Modified Ramen found in the wild Ryan Hilton (Feb 16)