Hosting Provided By

Re: [CERT] possible rootkit, maybe partial?

From: ePAc <epac(at)korigan.net>
Date: Wed Apr 02 2003 - 23:27:17 EST

My first thought would be towards some sort of module hack. That is a module that loads, modify something in the kernel (replaces some functions) and then unloads, but leaving the code availble. Of course, i have no clue how you would check for such a thing, but i would guess that it would be loaded by something like modutil or devfsd. have you checked to see if you have some module somewhere in the tree under /lib/modules/xxx that has no business being there ?

I hope this helps..
ePAc

On Wed, 2 Apr 2003, Benjamin Tomhave wrote:

> Date: Wed, 2 Apr 2003 20:47:05 -0700
> From: Benjamin Tomhave <falcon@cybersecret.com>
> To: incidents@securityfocus.com
> Subject: [CERT] possible rootkit, maybe partial?
>
> Hello,

---
Nothing is foolproof to a sufficiently talented fool...
  oo
,(..)\
  ~~

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Received on Thu Apr 3 19:30:16 2003

This message: [ Message body ]
Next message: Nick Jacobsen: "Re: Logon.dll? Possible root-kit?"
In reply to Benjamin Tomhave: "possible rootkit, maybe partial?"
Next in thread: Richard Rager: "Re: possible rootkit, maybe partial?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:01 EDT