Security Incidents mailing list archives

Re: New maniac rootkit

From: Denis Ducamp <Denis.Ducamp () hsc fr>
Date: Thu, 21 Jun 2001 13:52:07 +0200

On Wed, Jun 20, 2001 at 09:04:26AM -0400, Andrew Heath wrote:

I also know it's making IRC connections, plus has at least one
rootshell running.  I can't confirm this without modifying bits
of the box, to replace ps with a known good copy, and I can't do
that until one of my colleagues looks at it to get first hand
experience.


You may use lsof ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ to see all the
running processes and the open files, if none are hidden by adore...
You may try http://www.hsc.fr/ressources/outils/rkscan/ to detect the
presence of the adore rootkit.

Of course, compile them on another system.

Denis.

-- 
 Denis.Ducamp () hsc fr --- Hervé Schauer Consultants --- http://www.hsc.fr/
Owl/snort/hping/dsniff en français  http://www.groar.org/~ducamp/#sec-trad
            Owl en français    http://www.openwall.com/Owl/fr/
 Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html

Current thread:

New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
  - Re: New maniac rootkit Aropalo Tommi (Jun 22)