[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ZK Rootkit

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: ZK Rootkit
From: "Yuri Slobodyanyuk" <yurisk@xxxxxxxx>
Date: Mon, 31 Jul 2006 11:53:05 +0200
Content-transfer-encoding: 7bit

The console file itself looks like legit config file dealing with fonts
etc.
here's a reference: http://susefaq.sourceforge.net/faq/admin2.html
So you mean that inspite the message from the OSSEC there's actually no
load.zk
present in /etc/sysconfig/ ? Strange indeed.
The second trigger for the Zk rootkit is presence of  usr/bin/run
executable, check if
it exists.
To double check you may run chkrootkit www.chkrootkit.org , in fact it looks
for
the same triggers (load.zk and usr/bin/run) .

BTW An interesting rootkit - there're dozens of requests on Google for more
info
about it and no answers so far. And here comes my question - Does anyone
have an
idea where to look for it  (in any form - binary,source code) ?


----- Original Message ----- 
> I'm using a preview version of SUSE SLED 10.
> Here is the alert:
> <clip>
>
> ** Alert 1154021500.0: mail
> 2006 Jul 27 12:31:40 Suse10-1->rootcheck
> Rule: 14 (level 8) -> 'Rootkit detection engine message'
> Src IP: (none)
> User: (none)
> Rootkit 'ZK' detected by the presence of file
> '/etc/sysconfig/console/load.zk'.
>
> </clip>
>
> The contents of the file (it's not a directory)
> at /etc/sysconfig/console are:
>
> <clip>
>
> ## Path:        Hardware/Console
> ## Description: Text console settings (see also Hardware/Keyboard)
> ## Type: string
> ## Default: ""
> ## ServiceRestart: kbd
> #
> # Console settings.
> # Note: The KBD_TTY setting from Hardware/Keyboard (sysconfig/keyboard)
> # also applies for the settings here.
> #
> # Load this console font on bootup:
> # (/usr/share/kbd/consolefonts/)
> #
> CONSOLE_FONT="lat9w-16.psfu"
>
> ## Type: string
> ## Default: ""
> #
> # Some fonts come without a unicode map.
> # (.psfu fonts supposedly have it, others often not.)
> # You can then specify the unicode mapping of your font
> # explicitly. (/usr/share/kbd/unimaps/)
> # Normally not needed.
> #
> CONSOLE_UNICODEMAP=""
>
> ## Type: string
> ## Default: ""
> #
> # Most programs output 8 bit characters, so you need a table to
> # translate those characters into unicode. That one can be specified
> # here. (/usr/share/kbd/consoletrans/)
> # (Note: If your console is in utf-8 mode you don't need this.)
> # If your code does not use a unicode mapping at all (because you
> # e.g. explicitly specified UNICODEMAP="none") you may circumvent
> # the translation via unicode, but load a map which directly maps
> # 8 bit output of your program to a font position.
> #
> CONSOLE_SCREENMAP="trivial"
>
> ## Type: string
> ## Default: ""
> #
> # for some fonts the console has to be initialized with CONSOLE_MAGIC.
> # CONSOLE_MAGIC can be empty or have the values "(B", ")B", "(K" or
> ")K".
> # Normally not needed (automatically handled by setfont).
> #
> CONSOLE_MAGIC="(K"
> ## Path: System/Console/Framebuffer
> ## Description: Framebuffer configuration
> ## Type: string
> ## Default: ""
> #
> # You may want to load a framebuffer display driver into your kernel
> # in order to be able to change graphics modes etc. with fbset in
> # console mode.
> #
> # Notes: Most people won't enter anything here, as:
> #   * it won't work if you have vesafb already active
> #   * its advantageous to have fb support compiled into your kernel
> #   * Some XFree86 drivers (especially in XFree86-4.x) don't work
> #     too well, if you enable framebuffer text mode.
> #
> # Example:
> #  FB_MODULES="matroxfb_base vesa=0x182 fv=85 matroxfb_maven
> matroxfb_crtc2"
> #
> FB_MODULES=""
>
> ## Type:        string
> ## Default:     ""
> #
> # In case your kernel has framebuffer support (or you loaded the
> framebuffer
> # support into your kernel as a module above), you may want to change
> the
> # resolution or other parameters. This is done by secifying the
> parameters
> # to fbset. Use a mode from /etc/fb-modes and additional parameters as
> # -a, -depth <BPP>, -vyres <VYRES>, ... (See fbset manpage and/or fbset
> -h).
> #
> # Notes:
> #   * vesafb does not (currently) support changing the display mode
> #   * BEWARE! Don't set modes your monitor can't do. Watch out for the
> maximum
> #     horizontal frequency. Old monitors might even be damaged if you
> exceed
> #     their capabilities.
> #
> # Example:
> #   FBSET_PARAMS="-a -depth 16 768x576-90 -vyres 10240"
> #
> FBSET_PARAMS=""
>
> # Encoding used for output of non-ascii characters.
> #
> CONSOLE_ENCODING="UTF-8"
>
> </clip>
>
> Thanks,
> Joe
>
>
>
>
>
>
>
> On Sun, 2006-07-30 at 19:51 -0300, Daniel Cid wrote:
> > Which operating system are you using (uname -a)? I never saw any
> > system using this
> > file load.zk, but it can be a false positive (it happened before with
> > other files). Can you also show us the content of it?
> >
> > Thanks for the report.
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 7/30/06, Joe Barr <joe@xxxxxxxxxxxx> wrote:
> > >
> > >
> > > Has anyone seen false positives on a ZK Rootkit alert referring
> > > to /etc/sysconfig/console/load.zk?  I've gotten it twice on a brand
new
> > > installation, with nothing having been done other than to install
> > > OSSEC-HIDS.
> > >
> > >
> >
> >
>

Follow-Ups:
- [ossec-list] Re: ZK Rootkit
  - From: Joe Barr
- [ossec-list] Re: ZK Rootkit
  - From: Meir Michanie

References:
- [ossec-list] Re: ZK Rootkit
  - From: Joe Barr

Prev by Date: [ossec-list] Re: ZK Rootkit
Next by Date: [ossec-list] Re: ZK Rootkit
Previous by thread: [ossec-list] Re: ZK Rootkit
Next by thread: [ossec-list] Re: ZK Rootkit
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.