[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ZK Rootkit

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: ZK Rootkit
From: Joe Barr <joe@xxxxxxxxxxxx>
Date: Mon, 31 Jul 2006 11:50:12 -0500
Content-transfer-encoding: 7bit

On Mon, 2006-07-31 at 11:53 +0200, Yuri Slobodyanyuk wrote:
> The console file itself looks like legit config file dealing with
> fonts
> etc.
> here's a reference: http://susefaq.sourceforge.net/faq/admin2.html
> So you mean that inspite the message from the OSSEC there's actually
> no
> load.zk
> present in /etc/sysconfig/ ? Strange indeed.

Not present after initial install, and not present when I check the
alert a couple of hours later.


> The second trigger for the Zk rootkit is presence of  usr/bin/run
> executable, check if
> it exists.
> To double check you may run chkrootkit www.chkrootkit.org , in fact it
> looks
> for
> the same triggers (load.zk and usr/bin/run)

/usr/bin/run is not there either.  rkhunter and chkrootkit both come up
empty.


>  .
> 
> BTW An interesting rootkit - there're dozens of requests on Google for
> more
> info
> about it and no answers so far. And here comes my question - Does
> anyone
> have an
> idea where to look for it  (in any form - binary,source code) ?
>

References:
- [ossec-list] Re: ZK Rootkit
  - From: Joe Barr
- [ossec-list] Re: ZK Rootkit
  - From: Yuri Slobodyanyuk

Prev by Date: [ossec-list] Agent run slow on windows
Next by Date: [ossec-list] Re: ZK Rootkit
Previous by thread: [ossec-list] Re: ZK Rootkit
Next by thread: [ossec-list] Re: ZK Rootkit
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.