Re: New maniac rootkit

[Daniel Martin <dtmartin24 () home com>]

Many people have already identified bits, so I'll just comment on this
piece:

Andrew Heath <ah228 () cornell edu> writes:

> in /dev/ptyxx/.proc (runlevels?)
> 2 eggdrop
> 3 maniac
> 2 slice
> 2 pine.out
> 2 PHoss
> 2 targa3
> 3 bnc
> 2 httpd
> 3 grabbb
> 3 pt07
> 3 mailrc
> 2 sh

This file format matches the file format of many common trojaned ps
and ls programs - it's a list of processes and/or files to hide (I
think that the initial number identifies whether this is the name of a
process to hide or a file, but I can't remember).  You might try the
following two commands on the trojaned box:
  ls /bin/sh
  echo 'ps $$' | sh | grep sh

I'm willing to bet that one or the other of those commands will show
nothing, and indication that sh is being hidden from either ls or ps.

You could also, I suppose, do a
  mv /dev/ptyxx /dev/ptyxx.old
and see if suddenly things look different when you do a ps or ls on
the infected box.  (I say move the directory because there may be
other, possibly hidden, rootkit config. files therein)