On Wed, 02 Jul 2014 17:26:47 +0200 "Florin Mandache"
<flo...@livec.co.uk> wrote:
>Hi guys:
>Some new rootkit kicking arroung:
>If you have this file in your system:
> /usr/lib/libppopen.so
Thanks for posting.
I should point out that (even though I apparently missed the
"/usr/lib/libppopen.so") RKH would have alerted you already for
hash changes on passwd / group and binaries and specific files
(`awk -F':' '/file:.*d.SSH/{print $2}' rkhunter`), as would any
early warning systems like the audit service, Logwatch and Samhain,
on account of replacing root-owned binaries requiring root
privileges.
>Seems the hacker recompiled a new ssh version to capture all the
>passwords from a ssh session
Yes, I thought the script looked familiar. It's been around for a
while.
Regards,
unSpawn
---
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
