Check the following link out it may provide you with a greater insight as is looks like that rootkit from the information you've provided, which I've found floating around recently
https://gitorious.org/dongforce/main/source/e08f161206e31cc12f1a874d8add153764564065:__UMBREON__ Ed > On 9 Dec 2014, at 01:43, Alfred Baroti <[email protected]> wrote: > > Hi, > I was wondering if someone found something similar with this. I didn't find > anything similar with this before. > > > Here is: > > root@pay1-test:~# ssh zimadmin@0 > zimadmin@0's password: > -------;i------------------------------------------ > -----.,if------------------------------------------ > -----,tLE,--------------..:;ji--------------------- > ----;ittL;----------.;;;tjfGj.--------------------- > ---;tfGDK;--------,;;,tLEKKt-----------------:;,--- > ---ijLDKD.------:;,iLfiiGD;---------------.,ifj.--- > --.;tGKKi------:tjLKWWEj;.--------------:;jLEE;---- > ---;iLEL::..:,;tjEW##Wf,--------------.,;tGKWf----- > ---,,;t;,:,,ifi;LKELt:--------------.;;itiiLD:----- > ---:iiLjGLfLGGDEE;-----------------.i:,LKEfji------ > --:;;jGfDGKW####KL.----------------i,,jDKWEt------- > --,.ifGGGLEEE###WEt---------------:tifDEKD;-------- > --:,;LDGELKKK####KEj.-------------iLGKELi---------- > ---ijGDEWKW#######WDfi;;,,;ii,,,::DELt:------------ > ---,fDKKKW###WK#####EGLLLLLLLfft,:ii.-------------- > -----:,,,:;fji;LW#####WKEEEEEEDLji::i;------------- > -----------,;GLjjDKKWWWEEEKEEDfjLLLGGDL:----------- > -----------,;fGL;;tfLfjjfGDDGftLEKKEDEEf----------- > -----------,;;GEt-:tftifGEEEDftLEKKjjLLL----------- > ------------;iGKt-iGLGLttK####EGDEEjiEGG;---------- > ------------.LEEi;ftff;--,E####LjDEEGGDDD;--------- > -------------;EL:jjGLi----,K###t--,ijDKEDDL:------- > --------------jt;DGt:-----.LKKKi------tDEDEt------- > -------------.tjDKf-----.,ifff;--------tEDEj------- > ------------:fDEWKi----;;,,ii.--------,iLLDt------- > ----------:;ifEKG,-------..-----------,jjj;-------- > -----------fttGED---------------------------------- > ------------.-------------------------------------- > root@pay1-test:~# w > 23:28:03 up 234 days, 14:54, 0 users, load average: 0.00, 0.00, 0.00 > USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT > root@pay1-test:~# id zimadmin > uid=0(root) gid=197 groups=0(root) > root@pay1-test:~# cat /etc/passwd |grep zimadmin > root@pay1-test:~# cat /etc/shadow |grep zimadmin > > And in normal login it make no sense: > > root@pay1-test:~# ls -la /usr/lib/libc.so.0 > ls: cannot access /usr/lib/libc.so.0: No such file or directory > root@pay1-test:~# cd /usr/lib/libc.so.0 > root@pay1-test:/usr/lib/libc.so.0# ls > ls: cannot open directory .: No such file or directory > root@pay1-test:/usr/lib/libc.so.0# pwd > /usr/lib/libc.so.0 > root@pay1-test:/usr/lib/libc.so.0# ls > ls: cannot open directory .: No such file or directory > root@pay1-test:/usr/lib/libc.so.0# strace ls > -bash: /usr/bin/strace: Input/output error > root@pay1-test:/usr/lib/libc.so.0# > > > Anyone have any idea with what i am dealing with ? > > Thanks > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
