On Mon, 2006-07-31 at 11:53 +0200, Yuri Slobodyanyuk wrote: > The console file itself looks like legit config file dealing with > fonts > etc. > here's a reference: http://susefaq.sourceforge.net/faq/admin2.html > So you mean that inspite the message from the OSSEC there's actually > no > load.zk > present in /etc/sysconfig/ ? Strange indeed.
Not present after initial install, and not present when I check the alert a couple of hours later. > The second trigger for the Zk rootkit is presence of usr/bin/run > executable, check if > it exists. > To double check you may run chkrootkit www.chkrootkit.org , in fact it > looks > for > the same triggers (load.zk and usr/bin/run) /usr/bin/run is not there either. rkhunter and chkrootkit both come up empty. > . > > BTW An interesting rootkit - there're dozens of requests on Google for > more > info > about it and no answers so far. And here comes my question - Does > anyone > have an > idea where to look for it (in any form - binary,source code) ? >
