[Dshield] Laba Rootkit

Chuck Lewis clewis at iquest.net
Tue Feb 3 17:58:33 GMT 2004


Kevin,

Did you try a Google search ?

I did and got:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Laba+rootkit&btnG=Goo
gle+Search

but I have NO idea what language that is. And babelfish doesn't understand
it either...

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kevin Old
Sent: Tuesday, February 03, 2004 10:47 AM
To: list at dshield.org
Subject: [Dshield] Laba Rootkit

Hello everyone,

I had a system hacked last night running a custom version of RH 7.2. 
Seems the user came in via another user over SSH (not sure how).  Then
downloaded a rootkit from a server in Romainia and started running it. 
I was able to kick him off and kill the processes under him.  From
/var/log/messages he made several attempts to obtain root but they were
not successful.  I did get the .bash_history and saw the commands he was
running.  I have run chkrootkit to see what is there and it reports that
nothing is infected.

With that said I can't seem to find any info on the Laba rootkit.  Of
course, I'm not expecting him to appropriately name the rootkit, but
that's all I have to go by.

Just wondering if anyone has any suggestions for this particular rootkit
or any suggestions on what to look for in discovering how access to the
machine was obtained.

Thanks,
Kevin
-- 
Kevin Old <kold at kold.homelinux.com>

_______________________________________________





More information about the list mailing list