[Dshield] Laba Rootkit

Kevin Old kold at kold.homelinux.com
Tue Feb 3 15:47:06 GMT 2004


Hello everyone,

I had a system hacked last night running a custom version of RH 7.2. 
Seems the user came in via another user over SSH (not sure how).  Then
downloaded a rootkit from a server in Romainia and started running it. 
I was able to kick him off and kill the processes under him.  From
/var/log/messages he made several attempts to obtain root but they were
not successful.  I did get the .bash_history and saw the commands he was
running.  I have run chkrootkit to see what is there and it reports that
nothing is infected.

With that said I can't seem to find any info on the Laba rootkit.  Of
course, I'm not expecting him to appropriately name the rootkit, but
that's all I have to go by.

Just wondering if anyone has any suggestions for this particular rootkit
or any suggestions on what to look for in discovering how access to the
machine was obtained.

Thanks,
Kevin
-- 
Kevin Old <kold at kold.homelinux.com>




More information about the list mailing list