Root Kit Information
plug-discuss@lists.plug.phoenix.az.us
plug-discuss@lists.plug.phoenix.az.us
Wed, 23 Oct 2002 16:44:41 -0700
This box has been offline (actually powered off) for several weeks and I'm just now getting around to performing some
analysis on it. When I discovred some strange behavior with some of the system utils (ps, ls, etc) I became suspious
and pulled the network connection. After saving some static html files, I powered the unit off.
>From my reading on the web regarding ShowTee, I've confirmed everything you mentioned below. I believe they got in via
a vulnerable version of wu-ftpd. This server was running 2.6.0 (I believe).
Do you think that this root kit would be able to capture passwords from other hosts on the network? For example: while
this infected box was on the network, it captured the login password from the infected box. Could it have captured
passwords when I logged into another machine on the network?
I have changed passwords for all the boxes on the network just to be safe.
Thanks,
Peter
On 23 Oct 2002 at 15:03, Gary Nichols wrote:
> On Wed, 23 Oct 2002 az_pete@cactusfamily.com wrote:
> > Does anyone know if there is a website that has info about root kits. One of my servers was infected with the ShowTee
> > root kit. I did find some info about ShowTee by searching on google, but it wasn't as helpful as I'd have hoped.
> > I'm looking for something similar to Symantec's Virus Encyclopedia, where I can type in the name of a virus and I get
> > detailed info about how it spreads, what type of files it infects, how to clean it and any variants of the virus.
> > Is there such a site for root kits?
>
> I take it the server is offline now? Did you figure out how the attacker
> got the rootkit on your box?
>
> Showtee is a nasty kit. It lets the attacker plant ssh and telnet
> backdoors into systems.
>
> What's worse? It includes an ssh binary which captures login
> credentials that mails the captured booty to the attacker.
>
> Showtee is also bi-polar. Not only does it locate exploitable services
> and vulnerabilities on your system, it fixes them so other hax0rs can't
> take over your box while the attacker controls it.
>
>
> --
> Gary Nichols RHCE
> http://www.linuxchimp.com
>
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>