Date: Thu, 5 Apr 2001 09:41:44 +0200 From: Arthur Donkers <arthur@RESEAU.NL> Subject: Re: Adore files To: INCIDENTS@SECURITYFOCUS.COM Hi, After taking a quick look at the tar file below, I noticed two interesting files: adore.o and ava. Both are part of the Adore kernel based rootkit by team teso (http://www.team-teso.net/). This means that once the system is compromised, rebooting will not help to 'remove' the rootkit, since the kernel module will be reloaded upon the next boot, and thus automatically reinstall the rootkit. By analyzing the ava executable, we can determine the magic word that is used as a password so sysadmins of infected machines can disable the kernel module. We'll be back, Arthur Donkers Le Reseau On Thu, Apr 05, 2001 at 12:06:31AM -0400, Jason Boyer wrote: > This is in response to the ton of mail I got requesting this file. It is > a tar ball of the /usr/lib/libt directory that appeared to be installed > with the adore worm. It also has some of the other adore files in it as > well such as a tar called wipe-1.00 that was packed with tons of > intresting stuff as well as trojan ssh daemon. This was pulled from a > machine a couple of weeks ago running. > > This file is provided with no guarantee's and use at your own risk. > > http://www.sultec.com/files/usrlib_libt-hack_src.tgz > > Cheers, > Jason -- /* Disclaimer : you hire my skills, not my opinions, those are mine ! */ /* email : arthur@reseau.nl Security 'Me ? I'm not me ! I'm just a */ /* phone : (+31) 50 549 2701 is not a computer simulation of me' */ /* URL http://www.reseau.nl dirty word Red Dwarf, First Episode */