[Dshield] Laba Rootkit

Deb Hale haled at pionet.net
Tue Feb 3 19:32:39 GMT 2004

Click on the "In English Please"  and it converts for you on the first one


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Chuck Lewis
Sent: Tuesday, February 03, 2004 11:59 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Laba Rootkit


Did you try a Google search ?

I did and got:


but I have NO idea what language that is. And babelfish doesn't understand
it either...


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kevin Old
Sent: Tuesday, February 03, 2004 10:47 AM
To: list at dshield.org
Subject: [Dshield] Laba Rootkit

Hello everyone,

I had a system hacked last night running a custom version of RH 7.2. 
Seems the user came in via another user over SSH (not sure how).  Then
downloaded a rootkit from a server in Romainia and started running it. 
I was able to kick him off and kill the processes under him.  From
/var/log/messages he made several attempts to obtain root but they were not
successful.  I did get the .bash_history and saw the commands he was
running.  I have run chkrootkit to see what is there and it reports that
nothing is infected.

With that said I can't seem to find any info on the Laba rootkit.  Of
course, I'm not expecting him to appropriately name the rootkit, but that's
all I have to go by.

Just wondering if anyone has any suggestions for this particular rootkit or
any suggestions on what to look for in discovering how access to the machine
was obtained.

Kevin Old <kold at kold.homelinux.com>


list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list