Found, a new rootkit

[John Wendel]

Gene Heskett wrote:
> Greetings folks;
> 
> In doing some checking of a web server, we found an irc port open on 
> 31377, one of the black hatters favorites.  A port that portsentry was 
> supposed to be rejecting but wasn't.
> 
> We stumbled over several items over the last few days, but the most 
> obvious one was a directory called .sk, located in /usr/share/misc.
> 
> Its payload seemed fairly simple, to make an underground irc chat server 
> out of the box.
> 
> It does this with a shell script that echos several kilobytes of octal 
> strings to gzip in the unpack mode > to a file in the local directory 
> called .sk, and it contains a login replacement also.  We did not find 
> that login was the one installed however.  Which may be a clue that 
> theres even more smoke in this camp than what we've found yet.
> 
> The execution installs it by cp .sk /usr/bin/apmd, but puts it 
> in /usr/bin as opposed to the real apmd's location of /usr/sbin, and 
> adds a starter line so its enabled on boot to something we haven't 
> found yet.  It also appears to start a third instance of portsentry 
> somehow.
> 
> We've cut our bandwidth use in half by getting rid of that.  We also 
> checked the logs and added several dozen more addresses 
> to /etc/hosts.deny, including many script based password guess attempts 
> that didn't get in.  And put portsentry in its most paranoid anal mode 
> with a few additions yet.
> 
> Just thought everybody would like to know about this bit of black hat 
> tomfoolery.
> 

Thanks for the heads-up!  Does rkhunter find this crap ?

Regards,

John