[Dshield] dump/restore timestamps on trojaned binaries

Golden_Eternity bswopes at bhodisoft.com
Sun May 29 19:53:40 GMT 2005


I have a dump of a compromised system that I've been poking around in.
One of the odd things I've discovered is that the atime, mtime, and
ctime on some of the trojaned binaries all match the time of the
restore. This isn't the case for the rest of the files, which only have
ctime matching the restore date.

This makes it easy to spot them, but I'm wondering why that would be the
case.

I ran restore -dv and watched for those files but there was nothing out
of the ordinary in the restore output.

>From what I've turned up, I think this may be the SHV4 rootkit
(chkrootkit detects ShKit among others), so if anyone has some details
about that, I'd appreciate it; all I've seen is a symantec report from
august 03. I'm also curious about what the values it stored in
ls.so.hash and libext-2.so.7 are.

Thanks,

-G_E




More information about the list mailing list