[Dshield] Laba Rootkit

Coyle, Brian Brian.Coyle at disney.com
Tue Feb 3 18:02:45 GMT 2004


On Tuesday, February 03, 2004 10:47, Kevin Old [mailto:kold at kold.homelinux.com] wrote:

> I had a system hacked last night running a custom version of RH 7.2. 
> Seems the user came in via another user over SSH (not sure how).  Then
> downloaded a rootkit from a server in Romainia and started running it. 

Boy that sounds familiar...

	http://honeynet.org/scans/scan29/sol/bcoyle/SotM29-BrianCoyle.pdf

  ;)     

[snip]

> I did get the .bash_history and saw the commands he was running.

Can you share those commands?


> I have run chkrootkit to see what is there and it reports that
> nothing is infected.

You might have a Loadable Kernel Module (LKM) rootkit.  These can hide from
tools like chkrootkit because they live in the kernel.


> With that said I can't seem to find any info on the Laba rootkit.  Of
> course, I'm not expecting him to appropriately name the rootkit, but
> that's all I have to go by.

Do you have an tarball or listing of the files in the rootkit to share?
Have you searched for any of those names?   Does the rootkit include any
source code?  Try searching on commments within.

HTH!
                                    -- Brian, GCIA




More information about the list mailing list