Security Incidents mailing list archives
Linux box 'infected' with RK15
From: Sean Kelly <lists () SHORTESTPATH ORG>
Date: Tue, 20 Mar 2001 22:52:23 +0000
Hello, I'm new to this list so please correct me if I step out line here :) I have just been handed a Linux web server at my new work place which appears to have been 'infected' with something called RK15 (Rootkit15, I believe). I'm pretty sure I know *how* they got in, but I'm more interested in *what* this RK15 does. I have the install script which installs precompiled binaries of utilities like ifconfig, top, ps, login - the usual for rootkits (it seems to mention some actual exploit binaries [t666, wu-exploit] but these are not on the system. There also appears to be a 'new' service listening on a TCP port which, when opened with telnet, returns a non-sensical string of about 8 characters and seems to be prompting for a response (sorry for the vagueness - I'm writing this from memory at the moment). Does anyone have any knowledge of this rootkit, or have any comments on the above? Thanks, -- Sean Kelly <lists () shortestpath org>
Current thread:
- Linux box 'infected' with RK15 Sean Kelly (Mar 21)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)
- Re: Linux box 'infected' with RK15 Thomas Roessler (Mar 23)
- Re: Linux box 'infected' with RK15 Jim Roland (Mar 22)
- <Possible follow-ups>
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 21)
- Re: Linux box 'infected' with RK15 Miller, Toby (Mar 22)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 23)
- Re: Linux box 'infected' with RK15 Neal Dias (Mar 23)
- Re: Linux box 'infected' with RK15 Sean Kelly (Mar 22)