Questions: LKM, yoyo & rootkits

[Gordon Ewasiuk <gewasiuk () unixfanatic com>]

Just caught a variant of yoyo, a linux rookit based on lrk.

http://security.alldas.mirror.widexs.nl/analysis/?aid=2

Has anyone dealt with yoyo?  The system in question will be getting a
fresh install of Redhat but I'm curious about some of the symptoms seen.

1)  The backdoor was loaded from /usr/lib/setup via /etc/rc.d/rc.local
*AND* /etc/rc.d/rc.sysinit.  Both files were cleaned and the backdoor
removed.  Upon reboot, rc.local and rc.sysinit were modified again - this
time they were chattr'ed.

2)  Does this rootkit affect rpm databases?  Rpm was serious broke after
the rootkit.

3)  When all visable signs of the rootkit were removed, rpms were
refreshed from r/o media, and the system was rebooted, an interesting
behavior was observed:
        logging in as root
        lsof | grep 3409 show nothing
        netstat -apm | grep 3409
        nothing would be displayed
        a minute later, netstat would show up with a PID in 800-820 range
and would appear to be bound to udp/3409.  probes to 3409/udp from an
external machine would fail.  the port appears bound but doesn't respond
to network requests
        this behavior would continue with any other processes started by
root

4)  Is yoyo an LKM?

Finally, have any php exploits been associated with yoyo?  While
researching yoyo, I found some hidden directories with phpscan and some
other php-named utilities.

The system is getting a fresh installation shortly, but curiousity has
gotten to me.

Regards,

-gordon


----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core