Steve and all,

>rootkit. It had files stored in /dev/\ \ \ , modified a bunch of
>binaries including su, netstat, ls, ps, and ifconfig, and installed some
>sort of sshd trojan in a whole bunch of places. Sound familiar to
>anyone? (ie, who knows where I can learn more about it?)
Yeah, it fact it sounds like most rootkits I've seen.

>While cleaning up the mess with that, things still weren't working so I
>looked farther and discovered ANOTHER bunch of covert directories,
Sure, some kits deploy a sniffer in one place, sshd in another, adore
(have you found anyth kernel-level?) in yet another place.

>Anyone hear of these? Is this one rootkit or more than one?
It can be one or it can be more. If you had no Tripwire/integrity
checking software there is no way to _reliably_ find all traces of the
penetreation. In fact, even if you do have it - it is still not likely.
Rebuilding the box is the most popular advice given in this list ;-)

Best,

-- 
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]