| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: a little help needed with identifying a rootkit Hi Jan, Am Die, den 13.01.2004 schrieb jan.muenther@...ns.com um 20:41: > Howdy, > > I basically have *no* time at the moment, so I just had a very very quick > look at these things. Thanks for that quick look! :-) > > The biggest file you can find on this machine in this directory is a > > gzipped file which probably contains a rootkit of some sort. The SuSE > > list is still trying to figure out what the rest does/is and how this > > fits into the "big picture". > > 'i' is a statically linked version of the do_brk() local root exploit. > Both i.txt and ii.txt appear to be some php injection 'exploits'. > > 'n' is a statically linked version of netcat. > > 'rhs' appears to be a statically linked version of the 'rs.c' thingy, which > kicks back a shell to a host/port that you specify. > > The perl scripts are amazingly lame backdoors. > > I have too much work to look at the rootkit, sorry. This is already more than I have hoped for. Thanks VERY much! I haven't had the chance to look at something like this in the past so these pointers really are speeding up things. Thanks. kind regards from Brussels, Tobias W.
Powered by blists - more mailing lists