lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: eballen1 at qwest.net (Bruce Ediger)
Subject: Rootkit

On Fri, 26 Sep 2003, David Hane wrote:

> I recently had a machine get hacked before I could finish installing all the
> damn remote-root exploit patches that have been released in the last week.
> I've done the forensics and I know how they got in and what they did but I
> would like to know what rootkit they used.

In a later message, you said it was a Solaris rootkit.  Not all Solaris
root kits have a name:

http://groups.google.com/groups?q=Ediger+rootkit+solaris&hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=tPLT6.31%244Y4.88875%40news.uswest.net&rnum=1

The rootkit I found was a combo of tradey/dor's rootkit and the Universal
Root Kit.

Based on a couple of other accounts:
http://www.cert.org/advisories/CA-2001-05.html
http://ouah.kernsh.org/comp_sys.htm
and some personal communications, the rootkit I found was used in the wild
for quite a while, and it was under continuous development.

I even wrote an email to tragedy/dor, hinting that I'd like to have looked
at the code.  I offered suggestions for improving the rootkit as kind of
a quid pro quo.  He/she/it/they wrote back saying that the source got lost
in a server crash.

Anyway, the point is that at least one root kit for Solaris is floating
around, has been for a few years, yet it doesn't have a snappy name.
For example, it's not really too clear if even the latest chkrootkit would
find the tragedy/dor Solaris rootkit - chkrootkit did not find it back
in April of 2001.



Powered by blists - more mailing lists