|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: New Rootkit?
From: Thorsten Holz (thorsten.holz
mmweg.rwth-aachen.de)
Date: Thu Oct 16 2003 - 10:44:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu Oct 16 09:38:54 2003 Jonas Frey (Probe Networks) wrote:
> I've put up the files for further analysis at:
> http://81.2.144.1/rootkit/
Looks like a modified version of suckit:
$ strings init | grep -i suckit
Suckit uninstalled sucesfully!
$ strings init | grep -i fuck
FUCK: Can't allocate raw socket (%d)
FUCK: Can't fork child (%d)
FUCK: Failed to uninstall (%d)
FUCK: Failed to hide pid %d (%d)
FUCK: Failed to unhide pid %d (%d)
FUCK: Can't open %s for read/write (%d)
FUCK: IDT table read failed (offset 0x%08x)
FUCK: Can't find sys_call_table[]
FUCK: Can't find kmalloc()!
FUCK: Can't read syscall %d addr
FUCK: Out of kernel memory!
FUCK: Got signal %d while manipulating kernel!
SuckIT ( http://hysteria.sk/sd/f/suckit ) was published in Phrack #58.
It doesn't depend on loadable kernel module support, works via
/dev/kmem...
"at" looks like imp:
"Imp is a denial of service tool which sends SYN floods. Some people
call this one slice3. Dynamically linked with libc5. By Sinkhole."
[from http://packetstormsecurity.nl/DoS/]
HTH,
thorsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/jrzL0gf78WsIP8wRAl42AJ9XFlVBVqS/dfCVf9wTmNLDAOdaRACg/GxB
kMexmVCFXdZ1gNh2njacT7s=
=ewD1
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]