Information about the illogic Rootkit

This rootkit was found in some honeypots and in some production systems.
Its a complete rootkit which bind port 901 for a ssh backdoor,
trojaned the telnet (DISPLAY) and trojaned the ping, su, passwd and
some other binaries. It uses the Adore rootkit to hide itself,
and also unset the HISTFILE/HISTSAVE and export the HISTFILE to /dev/null


Download: illogic.tar.gz d87e97dcc23ea6396275d6d919e91bcc

Files to search:

• lib/security/.config
• usr/bin/sia
• etc/ld.so.hash
• *uconf.inv

Openned ports used by illogic:

• 23 (telnet)
• 901 (trojaned version of ssh)

*All files with an "*" need to be search in all system
**If you have any more information, send to: mail1, or to mail2.




$RootCheck: illogic.php ,v 1.0 2003/10/16, Daniel B. Cid$