[techtalk] [Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET]
Mary Gardiner
mary at puzzling.org
Sat Mar 24 11:12:02 EST 2001
On Fri, Mar 23, 2001 at 04:34:37PM -0600, Melissa Plunkett wrote:
> > The t0rn rootkit replaces several binaries on the system in order to
> > stealth itself. Here are the binaries that it replaces:
> >
> > du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> > ps, pstree, top
For people who aren't familiar with rootkits, this means that these
binaries won't show any suspisious processes or files running.
The only box I've seen rootkited with t0rn had a very high port open
running ssh though, so perhaps nmap could tell you something.
If you suspect a box is rooted, get it off the net fast, get some fresh
binaries of the afore mentioned programs and have a dig around. Then
you'll probably want to reinstall, secure and change passwords.
Incidently, if you have a box on a semi-permanent (cable) or permanent
IP address, you should have learnt about securing a box - shutting down
processes and closing ports. If none of those words are familiar to you,
and neither are the words portmap, nfs, or BIND you very probably have a
vulnerable box.
Mary.
--
Mary Gardiner
<mary at puzzling.org>
GPG Key ID: 77625870
More information about the Techtalk
mailing list