[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] with a little help from: [Full-Disclosure] a little help needed with identifying a rootkit



Hi everybody,

I have asked the gentle folks on the Full-Disclosure list about the
files from this machine:

http://218.234.171.84/manual/.x/

and someone has taken an amazingly quick look at them and posted some
information.

I attached the original message (don't know if this list truncates
attachments though).

Apparently an PHP injection has been used to get the files onto the
target machine and the hack relied on the do_brk() vulnerability of the
Linux kernel.

But read for yourself.

regards,
Tobias W. 
--- Begin Message ---
Howdy, 

I basically have *no* time at the moment, so I just had a very very quick
look at these things. 

> The biggest file you can find on this machine in this directory is a
> gzipped file which probably contains a rootkit of some sort. The SuSE
> list is still trying to figure out what the rest does/is and how this
> fits into the "big picture".

'i' is a statically linked version of the do_brk() local root exploit. 
Both i.txt and ii.txt appear to be some php injection 'exploits'. 

'n' is a statically linked version of netcat. 

'rhs' appears to be a statically linked version of the 'rs.c' thingy, which
kicks back a shell to a host/port that you specify. 

The perl scripts are amazingly lame backdoors. 

I have too much work to look at the rootkit, sorry.

Hope that helps,

J.






--- End Message ---
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here