Security Incidents mailing list archives

Re: new SunOS 5 rootkit? (fwd)

From: "Michael H. Warfield" <mhw () wittsend com>
Date: Thu, 14 Feb 2002 22:57:06 -0500

On Thu, Feb 14, 2002 at 10:26:26AM +0000, Alan Thew wrote:

Anyone seen this before? contains trojaned ls, netstat, ps and others.
In addition on port 5654 , Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.5-1.2.25

is installed and setup to start at reboots etc...


        What does "chkrootkit" have to say about it?

Thanks

-- 
Alan Thew
FAX: +44 151 794 4442

---------- Forwarded message ----------
     #
    #
   #   #
    # # #       RootKit fr SunOS
 #   #   #      (C) Adolf Hitler / NSDAP
  # # #
   #   #          English version.. for you scriptkids.
      #
     #

988113360


        Regards,
        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new SunOS 5 rootkit? (fwd) Alan Thew (Feb 14)
- Re: new SunOS 5 rootkit? (fwd) Michael H. Warfield (Feb 15)