OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dan Irwin (danjackies.com.au)
Date: Sun Apr 21 2002 - 15:47:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Here it is:

    http://www2.linuxphreaks.org/pub/security/rootkits/illogic.tgz

    Output from Installer:

    http://www2.linuxphreaks.org/pub/hp/20020418/illogic-install.txt

    chkrootkit output:

    http://www2.linuxphreaks.org/pub/hp/20020418/chkrootkit.log

    Sorry for the delay. I wanted to post this using my work account to avoid
    any confusion, and i dont work on weekends.

    - Dan. 

    --
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danjackies.com.au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infojackies.com.au
Web: http://www.jackies.com.au

    -----Original Message-----
From: Dan Irwin [mailto:danjackies.com.au]
Sent: Friday, 19 April 2002 2:21 PM
To: 'incidentssecurityfocus.com'
Subject: illogic rootkit

    Hi all.

    I found a rootkit named "illogic" on a recently compromised Redhat 7.2
Honeypot. Searches on google and altavista revealed nothing, but a search on
google groups relvealed 1 news article which originated from russia.

    Anyone seen this before?

    It appears the attacker left a copy of the illogic.tgz file intact on my
honeypot. Last night I did some quick forensics, and discovered the
following things about this rootkit:

     * Contains the Adore rootkit
 * Contains many trojaned binaries (sshd, syslog, etc)
 * Contains several ./massrooting tools (ssh, lpd, wuftpd)
 * Contains DDoS tools
 * And much more.

    This is all in 1 package, about a megabyte in size.

    From my tcpdump logs i also traced the FTP server from which this was
downloaded. I also obtained the attackers username/password for the
aforementioned FTP site.

    I will publish the rootkit on my personal web site sometime later today.

    - Dan.

    --
Dan Irwin - Systems Administrator
Jackie's Wholesale Nurseries Pty Ltd
Email: danjackies.com.au
Phone: 07 3888 2481
Fax: 07 3888 2530
Postal: 10 Gleeson Road Burpengary Queensland 4505
Email: infojackies.com.au
Web: http://www.jackies.com.au

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com