|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Questions: LKM, yoyo & rootkits
Date: Fri Feb 21 2003 - 08:31:43 EST
Just caught a variant of yoyo, a linux rookit based on lrk.
http://security.alldas.mirror.widexs.nl/analysis/?aid=2
Has anyone dealt with yoyo? The system in question will be getting a fresh install of Redhat but I'm curious about some of the symptoms seen.
- The backdoor was loaded from /usr/lib/setup via /etc/rc.d/rc.local *AND* /etc/rc.d/rc.sysinit. Both files were cleaned and the backdoor removed. Upon reboot, rc.local and rc.sysinit were modified again - this time they were chattr'ed.
- Does this rootkit affect rpm databases? Rpm was serious broke after the rootkit.
- When all visable signs of the rootkit were removed, rpms were refreshed from r/o media, and the system was rebooted, an interesting behavior was observed: logging in as root lsof | grep 3409 show nothing netstat -apm | grep 3409 nothing would be displayed a minute later, netstat would show up with a PID in 800-820 range and would appear to be bound to udp/3409. probes to 3409/udp from an external machine would fail. the port appears bound but doesn't respond to network requests this behavior would continue with any other processes started by root
- Is yoyo an LKM?
Finally, have any php exploits been associated with yoyo? While researching yoyo, I found some hidden directories with phpscan and some other php-named utilities.
The system is getting a fresh installation shortly, but curiousity has gotten to me.
Regards,
-gordon
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core
Received on Fri Feb 21 18:34:25 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:58 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |