lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
From: eballen1 at qwest.net (Bruce Ediger) Subject: Rootkit On Fri, 26 Sep 2003, David Hane wrote: > I recently had a machine get hacked before I could finish installing all the > damn remote-root exploit patches that have been released in the last week. > I've done the forensics and I know how they got in and what they did but I > would like to know what rootkit they used. In a later message, you said it was a Solaris rootkit. Not all Solaris root kits have a name: http://groups.google.com/groups?q=Ediger+rootkit+solaris&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=tPLT6.31%244Y4.88875%40news.uswest.net&rnum=1 The rootkit I found was a combo of tradey/dor's rootkit and the Universal Root Kit. Based on a couple of other accounts: http://www.cert.org/advisories/CA-2001-05.html http://ouah.kernsh.org/comp_sys.htm and some personal communications, the rootkit I found was used in the wild for quite a while, and it was under continuous development. I even wrote an email to tragedy/dor, hinting that I'd like to have looked at the code. I offered suggestions for improving the rootkit as kind of a quid pro quo. He/she/it/they wrote back saying that the source got lost in a server crash. Anyway, the point is that at least one root kit for Solaris is floating around, has been for a few years, yet it doesn't have a snappy name. For example, it's not really too clear if even the latest chkrootkit would find the tragedy/dor Solaris rootkit - chkrootkit did not find it back in April of 2001.
Powered by blists - more mailing lists