-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11.06.2010 18:13, unsp...@hushmail.com wrote:
> Hello Udo,
> 
> On Fri, 11 Jun 2010 16:45:00 +0200 Udo Rader 
> <udo.ra...@bestsolution.at> wrote:
>> one or our servers had previosly been compromized by a rootkit that
>> rkhunter did not detect (..) It says "Enjoy FloodBot based on 
> OverKill" (..)
> 
> Please see my post-mortem here: 
> http://ubuntuforums.org/showthread.php?t=1403787. 
> 
> 
>> Now that we removed it, I have a couple of files laying around 
> here and
>> am willing to contribute if someone is interested in dissecting.
> 
> If contents and behaviour differ from what's posted in the 3-page 
> thread above please let me know, preferably by opening a ticket in 
> RKH's bug tracker at Sourceforge: 
> http://sourceforge.net/tracker/?atid=794187&group_id=155034&func=bro
> wse, TIA. 

Hi unSpawn,

ok, I see you already have met the kit in question ;-)

- From what I see, there is not much difference between the two
infections, except maybe that I only see 23 files (instead of the 25)
and maybe that the kit was installed in /tmp/lib. In there it was
further hidden inside a ".,." directory, giving /tmp/lib/.,.

Maybe just something to be added to "suspicious directories".

Regards

Udo

- -- 
Udo Rader | CEO
BestSolution.at EDV Systemhaus GmbH | company
Eduard-Bodem-Gasse 5 | address
A-6020 Innsbruck | city
+43 512 935834 | phone
http://www.bestsolution.at | web
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMGQOuAAoJEJA9QoEqa9WBRv8H/3fs+2jMhHvIL+X8NlMTqI/m
q7A9p2V25DrVwk6tlgDtPdE5wVWO4dVKKJbYPK1o0eX08Wark66lpp0AGADI1ZhM
dGee65NVSPtTxxvATeubiK5U5pw57ycQSqQZaoyJ1cJ1ghRtLcPifgwACZo7FKQZ
mUx0G2SZ8XnVJ+2WDDXCoPkeu8NWA4bTcwtB1Lb4mXcPLbscq1MzEhHOOkyt0Xb+
goLARFqHx9JjTisDoU2NgXeTSPutuyLFAhoWnXi8QU+YTifHHmkocceXg1PzmViZ
B7tzOVPIZyh/OBVO3v5XqbiZX0p9JVqDjy1PTjx7RWquIOCFOyNxQ9CoaekI4uw=
=rxAv
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to