Security Incidents mailing list archives
Re: New maniac rootkit
From: Denis Ducamp <Denis.Ducamp () hsc fr>
Date: Thu, 21 Jun 2001 13:52:07 +0200
On Wed, Jun 20, 2001 at 09:04:26AM -0400, Andrew Heath wrote:
I also know it's making IRC connections, plus has at least one rootshell running. I can't confirm this without modifying bits of the box, to replace ps with a known good copy, and I can't do that until one of my colleagues looks at it to get first hand experience.
You may use lsof ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ to see all the running processes and the open files, if none are hidden by adore... You may try http://www.hsc.fr/ressources/outils/rkscan/ to detect the presence of the adore rootkit. Of course, compile them on another system. Denis. -- Denis.Ducamp () hsc fr --- Hervé Schauer Consultants --- http://www.hsc.fr/ Owl/snort/hping/dsniff en français http://www.groar.org/~ducamp/#sec-trad Owl en français http://www.openwall.com/Owl/fr/ Du bon usage de ... http://usenet-fr.news.eu.org/fr-chartes/rfc1855.html
Current thread:
- New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
- Re: New maniac rootkit Aropalo Tommi (Jun 22)