Security Incidents mailing list archives
RE: any1 stumbled across eCkit ?
From: "Ryan Sweat" <ryans () cecentertainment com>
Date: Thu, 29 Nov 2001 12:25:36 -0600
This is a modified t0rnkit, and td is definately stacheldraht. I've done some anylysis and I've found the master server is 212.204.245.141, which also has this rootkit installed. The file /lib/libext-2.so contains the encrypted trojan sshd password, fairly simple to decrypt. -Ryan -----Original Message----- From: Fredrik Ostergren [mailto:fredrik.ostergren () freebox com] Sent: Thursday, November 29, 2001 3:56 AM To: incidents () securityfocus com Subject: Re: any1 stumbled across eCkit ?
At 16:40 26-11-2001 -0500, you wrote:version 2.0.6. I guess they are installed to hide
some process. tk = t0rnkit. a well-known rootkit which is common in the scriptkiddie world. Alot of different versions circulating. Try doing strings ps | grep / and check for suspicious strings. Go check those files and you will find the controlling file. Also check the ls trojan for the same stuff.
In /lib/ldd.so/ i found the patch script and a file called
td. Strings
revealed that it is some kind of testing program but i
don't know for sure. Probably not tfn2k, more likely it's stacheldraht which is also often included with those different t0rnkit versions. Contact me at press () alldas de if you need more info or if you wan't me to do an analysis or something. Thanks! / Fredrik ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Ian Jones (Nov 26)
- <Possible follow-ups>
- any1 stumbled across eCkit ? Patrick van Zweden (Nov 26)
- Re: any1 stumbled across eCkit ? Fredrik Ostergren (Nov 29)
- RE: any1 stumbled across eCkit ? Ryan Sweat (Nov 29)