Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Solaris hack

From: Christopher Samuel <C.Samuel () eris dera gov uk>
Date: Mon, 4 Mar 2002 10:36:12 +0000
-----BEGIN PGP SIGNED MESSAGE-----

On Thursday 28 Feb 2002 9:29 pm, Steve Huston wrote:


I just got one of these too; upon booting from CD and doing a little poking
around, I found in /usr/lib/vold/nsdap the file 'defines', which contained
the following:

======

# Edit these
# Dir to install rootkit in
RKDIR="/usr/lib/vold/nsdap"
# Your email address
EMAIL="bert.smith () mbox bol bg"
# debug mode on or off
DEBUG=0

[...]

Google is your friend - doing a search for that email address picks up two 
links to the Honeynet project, both for results for the Scan of the Month #16.

The most interesting of the two is:

        http://project.honeynet.org/scans/scan16/som/som34.html

by "Solar Eclipse". The useful text is:

  This looks like our rootkit. According to the README it was written by
  Tragedy/Dor <bert.smith () mbox bol bg>.  I send an email to this address
  and Dor was kind enough to send me the binaries of his rootkit - k.tar.gz.
  I have not analyzed the rootkit in depth, since this is not the objective
  of Scan 16, but I looked at the installation script. It writes out the
  configuration to a temporary file and then obfuscates it with a crypt
  program, included in the rootkit. By disassembling the crypt binary with
  IDA Pro I found out that it simply reads the file, NOTs every byte and
  writes it out. My cryptanalysis appears to be correct.

The link "k.tar.gz" to the rootkit in the above is broken, though.

HTH, HAND,
Chris
- -- 
Christopher Samuel               [dstl]                 +44 1684 771134
L007, DSTL, St Andrews Road, Malvern, UK  -  DSTL is part of the UK MoD
DISCLAIMER:  The views expressed above are just those of the author and
do not represent the views, policy or understanding of any other entity

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPINOIVJ7nmUlvnM9AQHe4wP/XKD7BKv4NN07bCmGsGYS4nKs8q11QCFn
UBXVdiSAB1+UrPB+dg/6rp+N7nndmDKihRXc43SHs7fme/aHLXmEHfbUpgjwbL9N
0HvBsK3zLQ7radjkHMGH/5o/F9DtP04ekW+sNmRzV2Mnma2pbwVexGwjaKDsPqYd
xB93/jwoz/o=
=rN0U
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: