Found, a new rootkit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Greetings folks;

In doing some checking of a web server, we found an irc port open on 
31377, one of the black hatters favorites.  A port that portsentry was 
supposed to be rejecting but wasn't.

We stumbled over several items over the last few days, but the most 
obvious one was a directory called .sk, located in /usr/share/misc.

Its payload seemed fairly simple, to make an underground irc chat server 
out of the box.

It does this with a shell script that echos several kilobytes of octal 
strings to gzip in the unpack mode > to a file in the local directory 
called .sk, and it contains a login replacement also.  We did not find 
that login was the one installed however.  Which may be a clue that 
theres even more smoke in this camp than what we've found yet.

The execution installs it by cp .sk /usr/bin/apmd, but puts it 
in /usr/bin as opposed to the real apmd's location of /usr/sbin, and 
adds a starter line so its enabled on boot to something we haven't 
found yet.  It also appears to start a third instance of portsentry 

We've cut our bandwidth use in half by getting rid of that.  We also 
checked the logs and added several dozen more addresses 
to /etc/hosts.deny, including many script based password guess attempts 
that didn't get in.  And put portsentry in its most paranoid anal mode 
with a few additions yet.

Just thought everybody would like to know about this bit of black hat 

Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-) and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux