lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: jan.muenther at nruns.com (jan.muenther@...ns.com) Subject: a little help needed with identifying a rootkit Howdy, I basically have *no* time at the moment, so I just had a very very quick look at these things. > The biggest file you can find on this machine in this directory is a > gzipped file which probably contains a rootkit of some sort. The SuSE > list is still trying to figure out what the rest does/is and how this > fits into the "big picture". 'i' is a statically linked version of the do_brk() local root exploit. Both i.txt and ii.txt appear to be some php injection 'exploits'. 'n' is a statically linked version of netcat. 'rhs' appears to be a statically linked version of the 'rs.c' thingy, which kicks back a shell to a host/port that you specify. The perl scripts are amazingly lame backdoors. I have too much work to look at the rootkit, sorry. Hope that helps, J.
Powered by blists - more mailing lists