Information about LRK (Linux Rootkits)

The LRK is a very famous rootkit used to infect Linux systems. It
have a lot of versions (3,4,5) and has been in the wild since 1997 (if
i am not wrong). The main purpose of this rootkit is to infect some
binaries of the system to hide the "cracker" presence.
More info about the LRK can be found in this link:
http://www.ossec.net/rootkits/studies/lrk5.txt
The README file from lrk4 can be found here
The README file from lrk5 can be found here

Downloads:
lrk4.src c2f886c7af1e6318f79460ff0ffe4f5e
lrk5.src e18b708650f7dc4cca447df33d09740f

Files to search:

• /dev/ida/.inet
• *bindshell

Ports used by LRK:

• 37337

Binaries to search:

• bindshell
• chfn
• chsh
• crontab
• du
• find
• fix
• ifconfig
• inetd
• killall
• linsniffer
• login
• ls
• netstat
• passwd
• pidof
• ps
• rshd
• sniffchk
• syslogd
• tcpd
• top
• wted
• z2

*All files with an "*" need to be search in all system
**If you have any more information, send to: mail1, or to mail2.




$RootCheck: lrk.php ,v 1.0 2003/10/16, Daniel B. Cid$