[DShield] Laba Rootkit
brian at linuxwidows.com
Wed Feb 4 04:17:39 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Tue Feb 3 15:47:06 UTC 2004, Kevin Old wrote:
> I had a system hacked last night running a custom version of RH 7.2.
> With that said I can't seem to find any info on the Laba rootkit.
Based on a quick analysis of the binary Kevin provided offlist, I believe
this is the source code of the exploit-
Note the matches with the strings output below (especially the mispelling
The bash_history Kevin provided shows the binary was obtained with-
That file is still available and is identical to the one Kevin sent.
brian at honeypot:~/laba$ ls -l laba*.tgz
- -rw-r--r-- 1 brian brian 9142 Feb 3 21:14 laba-orig.tgz
- -rw-r--r-- 1 brian brian 9142 Feb 2 12:13 laba.tgz
brian at honeypot:~/laba$ cmp laba.tgz laba-orig.tgz
There were other files that Kevin needs to investigate, but I think
'laba' has been identified. ;)
brian at honeypot:~/laba$ strings laba | more
[+] PID %d GOT UID 0, enjoy!
[!] parent check race...
SUCCESS, cought SLAB page!
[+] Please wait...HEAVY SYSTEM LOAD!
%u of %u [ %u %% ETA %6.1f s ]
[+] overflow done, the moment of truth...
"We choose to go to the moon, and do the other things...
Not because they are easy, but because they are hard." -JFK
"We choose to explore space because doing so improves our
lives and lifts our national spirit." -GWB 2004-01-14
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Brian Coyle, GCIA http://www.giac.org/GCIA.php
-----END PGP SIGNATURE-----
More information about the list