[Dshield] Laba Rootkit

Chuck Lewis clewis at iquest.net
Tue Feb 3 20:52:52 GMT 2004


Duh - thanks Deb. I didn't even click on any past that first page...

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Deb Hale
Sent: Tuesday, February 03, 2004 2:33 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Laba Rootkit

Click on the "In English Please"  and it converts for you on the first one
"http://www.cert.hr/ispis_vijesti.php?y=2002&m=09"  

Deb


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Chuck Lewis
Sent: Tuesday, February 03, 2004 11:59 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] Laba Rootkit


Kevin,

Did you try a Google search ?

I did and got:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=Laba+rootkit&btnG=Goo
gle+Search

but I have NO idea what language that is. And babelfish doesn't understand
it either...

Chuck

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kevin Old
Sent: Tuesday, February 03, 2004 10:47 AM
To: list at dshield.org
Subject: [Dshield] Laba Rootkit

Hello everyone,

I had a system hacked last night running a custom version of RH 7.2. 
Seems the user came in via another user over SSH (not sure how).  Then
downloaded a rootkit from a server in Romainia and started running it. 
I was able to kick him off and kill the processes under him.  From
/var/log/messages he made several attempts to obtain root but they were not
successful.  I did get the .bash_history and saw the commands he was
running.  I have run chkrootkit to see what is there and it reports that
nothing is infected.

With that said I can't seem to find any info on the Laba rootkit.  Of
course, I'm not expecting him to appropriately name the rootkit, but that's
all I have to go by.

Just wondering if anyone has any suggestions for this particular rootkit or
any suggestions on what to look for in discovering how access to the machine
was obtained.

Thanks,
Kevin
-- 
Kevin Old <kold at kold.homelinux.com>

_______________________________________________


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list