Information about the Bobkit Rootkit

"Bobkit appears to be a rootkit; a collection of programs installed on a system once an attacker
has acquired root access on an attacked system. This one appears to include an ssh backdoor, an adore
Linux kernel module and a Tribe Flood Net slave.

It is able to update itself by downloading new versions or additional code from two known URL's
at free web site hosting companies. Both companies have been contacted and have verified that the
sites in question have been disabled, preventing future bobkits from updating themselves from these sites.

Recent versions of the kit install themselves to "/usr/include/..." (note the three dots). Older versions
installed themselves to /tmp/.bkp . /usr/include/... is the home directory for the attackers logins.

The complete analyze(by William Stearns) on the link bellow: http://www.ossec.net/rootkits/studies/bobkit.txt


Files to search:

• /usr/include/.../
• /usr/lib/.../
• /usr/sbin/.../
• /usr/bin/ntpsx
• /tmp/.bkp
• *bkit-

*All files with an "*" need to be search in all system
**If you have any more information, send to: mail1, or to mail2.




$RootCheck: bobkit.php ,v 1.0 2003/12/02, Daniel B. Cid$