[Dshield] Laba Rootkit

Deb Hale haled at pionet.net
Tue Feb 3 19:45:37 GMT 2004


The second is Romanian.  I of course can't read Romania so I have no clue
what it says.  Anyone do Romanian????  This maybe the key to what the deal
is - beings the server involved was in Romania.



Deb

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Chuck Lewis
Sent: Tuesday, February 03, 2004 11:59 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Laba Rootkit


Kevin,

Did you try a Google search ?

I did and got:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Laba+rootkit&btnG=Goo
gle+Search

but I have NO idea what language that is. And babelfish doesn't understand
it either...

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kevin Old
Sent: Tuesday, February 03, 2004 10:47 AM
To: list at dshield.org
Subject: [Dshield] Laba Rootkit

Hello everyone,

I had a system hacked last night running a custom version of RH 7.2. 
Seems the user came in via another user over SSH (not sure how).  Then
downloaded a rootkit from a server in Romainia and started running it. 
I was able to kick him off and kill the processes under him.  From
/var/log/messages he made several attempts to obtain root but they were not
successful.  I did get the .bash_history and saw the commands he was
running.  I have run chkrootkit to see what is there and it reports that
nothing is infected.

With that said I can't seem to find any info on the Laba rootkit.  Of
course, I'm not expecting him to appropriately name the rootkit, but that's
all I have to go by.

Just wondering if anyone has any suggestions for this particular rootkit or
any suggestions on what to look for in discovering how access to the machine
was obtained.

Thanks,
Kevin
-- 
Kevin Old <kold at kold.homelinux.com>

_______________________________________________


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list