| File type | empty file |
| File type | Ascii text |
| Functionality |
rootkit configuration file |
| Analysis |
From the shell script "remove", these file, .c, .d, and .p are move to
/usr/include/{hosts.h, proc.h, file.h}. Together with analysis of other
trojanised binaries found in this directory, we could deduce the
following:
|
| File type | compressed archive |
| Functionality |
rootkit |
| Origin |
adore rootkit v 0.38 A copy can be found at http://packetstormsecurity.org/groups/teso/adore-0.38.tar.gz |
| Analysis |
By comparing the md5sum of files
with the original files from adore-038.tgz, we noted that some
customisation have being made to adore.c, configure, and start. There is
also an additional Makefile in .x.tgz, probably created after running
the configure script.
|
| File type | ELF executable, stripped |
| Functionality |
change attributes of binary |
| Origin |
RH 6.2 system |
| Analysis |
Using the md5sum database from http://www.knowngoods.org, we
found out that md5sum of this binary, b2969301f179b6e74e5102c4af0b49e1,
tallies with that of /usr/bin/chattr of a RH 6.2 system. |
| File type | shell script |
| Analysis |
use to install adore rootkit,
i.e. .x.tgz |
| File type | shell script |
| Functionality |
clearing logs |
| Interesting strings
output |
Alles sauber mein Meister |
| Origin |
This file is identical to the
file t0rnsb from t0rnkit A copy of t0rnkit can be found at http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz |
| Analysis |
The string "Alles sauber mein Meister" provides a unique signature. We made used of this string and perform a search on the Internet, which in turn help us to identify that this file is part of t0rnkit |
| File type | shell script |
| Analysis |
This script is use together with cl to clear a series of log. The script passes a
list of two octet of IP addresses, host names. and binary names to the
script cl for clearing. |
| File type | ELF executable, stripped |
| Functionality |
trojanised dir |
| Analysis |
The strings output did not reveal any anomalies that suggests this executable is a trojan. We proceed to perform strace on this executable, and notice that the executable tried to access the file /lusr/include/file.h. The trojan made use of /usr/include/file.h as its configuration file. Output that coressponds to entries found in the configuration file are filtered off. The configuration file has the same format as the ROOTKIT_FILES_FILE of lrk5. |
| File type | ELF executable, not stripped |
| Functionality |
trojanised du |
| Interesting strings
output |
/usr/include/file.h /xL/lrk5/fileutils-3.13/src/ ../../rootkit.h GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Origin |
Linux rootkit 5, i.e. lk5 A copy of the rootkit can be found at http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz |
| Analysis |
|
| Remarks |
probably compiled on a Redhat
6.2 system |
| File type | ELF executable, stripped |
| Functionality |
encoding program |
| Interesting strings
output |
SOLcrypt 1.0 by sensei tornkit version ! usage: %s -e input-file output-file (encrypt file) %s -d input-file output-file (decrypt file) |
| Analysis |
Although the filename is known
as encrypt, the program actually performs encoding, since no password is
involved. We did not attempt to perfom reverse engineering on the
binary, and hence were not aware of the encoding scheme used.
Also, though the strings output claimed to be "tornkit version",
our copy of t0rnkit does not have any equivalent program. |
| File type | ELF executable, stripped |
| Functionality |
Fixing checksum |
| Interesting strings
output |
fix: Can't open %s fix: Last 17 bytes not zero fix: Can't fix checksum fix: No permission to change owner or no such file fix: No permission to change mode or no such file fix: File %s fixed fix: read error on %s fix: Can't read time of day fix: Can't set time of day fix: Can't change modify time Usage: fix original replacement [backup] |
| Origin |
Probably lrk5 |
| Analysis |
The series of error message is similar to that of lrk5, which made us believe that this file is derived from lrk5. With reference of the usage help line from the strings output, what the binary does is to move "replacement" to "original" and fix the checksum (using the sum(1) algorithm) if possible. The MAC time of this new file is modified to read as that of the replacement. The old "original" is copy to "backup" if a third argument is provided. |
| File type | ELF executable, stripped |
| Functionality |
trojanised ifconfig |
| Interesting strings
output |
ifconfig 1.39 (1999-03-18) |
| Origin |
Probably t0rnkit |
| Analysis | Remove PROMISC flags when
sniffing |
| File type | Shell script |
| Analysis |
Starts the program initd, write, and .x/start |
| File type | ELF executable, not stripped |
| Functionality |
trojanised sshd |
| Interesting strings
output |
sshd version %s [%s] Usage: %s [options] Options: /usr/lib -f file Configuration file (default %s/sshd_config) -d Debugging mode -i Started from inetd -q Quiet (no logging) -p port Listen on the specified port (default: 22) -k seconds Regenerate server key every this many seconds (default: 3600) -g seconds Grace period for authentication (default: 300) -b bits Size of server RSA key (default: 768 bits) /usr/lib/ssh_host_key -h file File from which to read host key (default: %s) -V str Remote version string already read from the socket GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-81) GCC: (GNU) 2.96 20000731 (Red Hat Linux 7.1 2.96-79) |
| Origin |
|
| Analysis |
|
| Remarks |
Given the compiler strings,
probably compiled on a Redhat 7.1 system |
| File type | Shell script |
| Functionality |
Batch processing |
| Interesting strings
output |
EnForCeR SSH-RK 8.0 Greetingz to memberz from : #st0rm,#alone,#force,#la-cafea |
| Analysis |
Installs trojan and removes
trace of orginal tarball, installation directory, and entries from
lastlog. Also calls the script remove, move, check, startfile, mailme, clean, and patch. |
| File type | ELF executable, not stripped |
| Functionality |
trojanised killall |
| Interesting strings
output |
/usr/include/proc.h GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Origin |
Linux rootkit 5, i.e. lk5 A copy of the rootkit can be found at http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz |
| Analysis |
The trojanised killall will not
kill processes that are listed in the file /usr/include/proc.h |
| Remarks |
From the strings output, the
binary is probably compiled on a Redhat 6.2 system |
| File type | Shell script |
| Analysis |
Checks if /bin/login has being trojanised. If not trojanised, move the original /bin/login to /dev/mounnt (the presence of /dev/mounnt indicates that /bin/login has being trojanised), and move a trojanised login in its place. |
| Remarks |
The hacker often set the
attributes of files installed with "uai". u: if the files is deleted, the contents of the file is set. Use for file undeletion, but not honored by kernel (as of Linux 2.2) filesystem code i: file cannot be modified. This is likely to confuse an inexperience system administrator when trying to delete a file. a:append mode Although not in this case, the hacker do use +s attributes on other files s: zeroed the content when file is deleted |
| File type | ELF shared library |
| Functionality |
trojanised libproc |
| Analysis |
We parse the binary using
readelf, and observed that the shared library contains function such as
proc_hackinit, proc_istrojanised, and proc_childeofhidden, which suggest
that this is a trojanised shared library. We did a dissaembly of the shared library with the help of IDA pro, and specifically zoomed in to the function proc_hackinit as it is referenced by top and ps. The proc_hackinit function
a) each entry is
separated by a carriage return.
By experimenting with top and ps in a controlled environment (RH 6.2
running on a vmware), we noted that the 2nd field of each entry of
"/usr/include/proc.h" contains the process name to hide, and the 2nd
field of each entry of "/usr/include/hosts.h" contains a list of IP
address (or its sub-string) to hide if it appears in the command
argument. For the case of "/usr/include/hosts.h", the first field must
be the number "2".b) within each entry, the fileds are separated by space, and the 2nd field is the field of interest. |
| File type | ELF executable, stripped |
| Functionality |
trojanised login |
| Interesting strings
output |
/dev/mounnt cocacola |
| Analysis |
To figure out how the trojan
functions, we disassembled the trojanised login using IDA Pro. Part of
the more interesting listings can be found in login_dis.txt.
What the trojan does is that it will check if the environment variable
"TERM" is set to "cocacola". If $TERM=cocacola, then a root shell is
presented, otherwise, execution is passed to the original login program,
which should be located at /dev/mounnt. |
| File type | ELF executable, not stripped |
| Functionality |
trojanised ls |
| Interesting strings
output |
/usr/include/file.h /xL/lrk5/fileutils-3.13/src/ ../../rootkit.h GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Origin |
Linux rootkit 5, i.e. lk5 A copy of the rootkit can be found at http://packetstormsecurity.org/UNIX/penetration/rootkits/lrk5.src.tar.gz |
| Analysis |
The trojanised ls will not
display name of files or directories that are found in
/usr/include/file.h. |
| Remarks |
From the strings output, this
binary is probably compiled on a Redhat 6.2 system. |
| File type | ELF executable, stripped |
| Functionality |
trojanised lsof |
| Interesting strings
output |
configuration info:
%s Mon Nov 20 23:19:00 CET 2000 constructed: %s SOLos.tw root by and on constructed %s: %s%s%s compiler: %s egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) compiler version: %s -DLINUXV=22017 -DGLIBCV=201 -DHASIPv6 -DLSOF_VSTR="2.2.17" -O compiler flags: %s -L./lib -llsof loader flags: %s Linux SOLos.tw 2.2.17 #5 SMP Thu Sep 28 13:06:22 CEST 2000 i586 unknown system info: %s GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Analysis |
The strings output did not
reveal any anomolies that suggests this executable is a trojan. We
procced to perform strace on this executable, and notice that the
executable tried to access the file /lib/lidps1.so. After some
trials and errors, we noted that /lib/lidps1.so is the configuration
file for the trojan. It store a list of process names to be hidden from
the output of this trojanised lsof. |
| Remarks |
From the strings output, the
binary is probably compiled on a Redhat 6.2 system. As lsof embed
system inforation in its binary, the strings output shows that lsof was
complied from a the machine name SOLos.tw by root on 28 Sep 2000 (the
system time may be set wrongly though). Note that original redhat 6.2
kernal is 2.2.14, while the machine where lsof is complied has a kernel
of 2.2.17. |
| File type | Shell script |
| Analysis |
Collects system and user
information and mailed this information to the account r00t@emoka.ro.
The information collected include /etc/passwd, /etc/shadow,
/proc/cpuinfo, /proc/meminfo and command output generated by ifconfig,
uptime, df. |
| File type | ELF executable, stripped |
| Functionality |
trojanised md5sum |
| Interesting strings
output |
GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Analysis | As the strings output did not
reveal any anamolies in this binary, we instead attempt to strace the
progam. Our strace attempt reveals that the trojanised md5sum binary
make an attempt to perfom 2 additional task, 1) create the file
/tmp/behsdf, and 2) read the file /dev/srd0. ---start of partial stract output--- open("login1", O_RDONLY|O_LARGEFILE) = 3 open("/tmp/behsdf", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4 open("/dev/srd0", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) ----end of partial stract output---- We noted that the script remove generates md5sum of various program and redirect the output to a tmp file. This tmp file is in turn encoded with the encrypt program to arrive at the file /dev/srd0. We did exactly what the remove script does. We compute the checksum of a binary, say login1, encode the result with the encrypt program, and store the encoded result in the file /dev/srd0. We next rename another binary, say login2, as login1, and recompute the md5 checksum with the trojanised md5sum. The commands are as follows: [root@RH62 working]# cp bigwar/login login1 [root@RH62 working]# cp /bin/login login2 [root@RH62 working]# bigwar/md5sum login1 b7585233ce551a622cab5ed08494ff12 login1 [root@RH62 working]# bigwar/md5sum login2 9b34aed9ead767d9e9b84f80d7454fc0 login2 [root@RH62 working]# bigwar/md5sum login1 > tmp; bigwar/encrypt -e tmp /dev/srd0[root@RH62 working]# bigwar/md5sum login1 b7585233ce551a622cab5ed08494ff12 login1 [root@RH62 working]# bigwar/md5sum login2 9b34aed9ead767d9e9b84f80d7454fc0 login2 [root@RH62 working]# cp login2 login1 cp: overwrite `login1'? y [root@RH62 working]# bigwar/md5sum login1 b7585233ce551a622cab5ed08494ff12 login1 The corresponding strace output is as follows: ---start of partial stract output--- open("login1", O_RDONLY|O_LARGEFILE) = 3 open("/tmp/behsdf", O_WRONLY|O_CREAT|O_TRUNC|O_LARGEFILE, 0666) = 4 open("/dev/srd0", O_RDONLY|O_LARGEFILE) = 5 fstat(5, {st_mode=S_IFREG|0644, st_size=87, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40019000 read(5, "z/zIrCzjnXaMOIdhKnyXbZC6LU0MMvPE"..., 4096) = 87 fstat(4, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012d000 read(5, "", 4096) = 0 close(5) = 0 munmap(0x40019000, 4096) = 0 write(4, "b7585233ce551a622cab5ed08494ff12"..., 42) = 42 close(4) = 0 munmap(0x4012d000, 4096) = 0 open("/tmp/behsdf", O_RDONLY|O_LARGEFILE) = 4 fstat(4, {st_mode=S_IFREG|0644, st_size=42, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40019000 read(4, "b7585233ce551a622cab5ed08494ff12"..., 4096) = 42 fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 1), ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012d000 ioctl(1, TCGETS, {B38400 opost isig icanon echo ...}) = 0 write(1, "b7585233ce551a622cab5ed08494ff12"..., 41) = 41 unlink("/tmp/behsdf") = 0 ----end of partial stract output---- What the trojanised md5sum did is that it will try to read the file /dev/srd0 if it exist. The content of /dev/srd0 is then decoded and stores in the file /tmp/behsdf. Next the trojan will check if the name of the program which md5sum is to be computed can be found in the file /tmp/behsdf. If the name of the program can be found, the corresponding checksum is output to the screen, and the tmp file is deleted. |
| Remarks |
From the strings output, the binary is probably compiled on a Redhat 6.2 system. |
| File type | Shell script |
| Analysis | Used for removing various files
(most likely rootkit-related), killing processes, and clearing
logs. Probably used to remove rootkits that are instlled by previous
hacker. |
| File type | ELF executable, stripped |
| Functionality |
trojanised netstat |
| Analysis |
The strings output did not reveal any anomalies that suggests this executable is a trojan. We procced to perform strace on this executable, and notice that the executable tried to access the file /lusr/include/hosts.h. The trojan made use of /usr/include/hosts.h as its configuration file. Output with IP address (is sufficient for part of the IP address to match) or port number that corresponds to entries found in the configuration file are filtered off. The configuration file has the same format as the ROOTKIT_ADDRESS_FILE of lrk5. |
| File type | Shell script |
| Interesting strings
output |
# patching this box from the
SSHD 1.2.26-31 vulnerability # by Fracktal |
| Analysis |
Overwrite existing sshd with
/sbin/initd (trojanised sshd??), and kill current sshd process. |
| File type | ELF executable, stripped |
| Functionality |
trojanised ps |
| Analysis |
Output of readelf command: $ readelf -a bigwar/ps |grep libproc 0x00000001 (NEEDED) Shared library: [libproc.so.2.0.6] $ readelf -s bigwar/ps |grep hack 20: 08048f4c 605 FUNC GLOBAL DEFAULT UND proc_hackinit The readelf command output shows that this binary reference to the proc_hackinit function of libproc.so.2.0.6. The trojanised ps will hide output that are found in the files /usr/include/proc.h and /usr/include/hosts.h |
| File type | ELF executable, stripped |
| Functionality |
trojanised pstree |
| Interesting strings
output |
/usr/include/proc.h pstree from psmisc version 18 GCC: (GNU) egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
| Origin |
Probably derived from lrk5. lrk5
uses psmisc version 17, rather than psmisc version 18 (as indicated from
strings output). |
| Analysis |
The trojanised pstree will hide output that are found in the files /usr/include/proc.h. |
| File type | Perl script |
| Functionality |
parser |
| Interesting strings
output |
# Sorts the output from
LinSniffer 0.03 [BETA] by Mike Edulla <medulla@infosoc.com> |
| Origin |
Probably t0rnkit.
This file is similar to t0rnp found in t0rnkit. |
| Analysis |
Use to parse output of LinSniffer |
| File type | Shell script |
| Analysis |
The script performs the
following tasks:
|
| Remarks |
The hacker often use the command
"touch -acmr <original_file>
<timpstamp_to_be_modified_file>" to preserve the timestamp of the
modified file. Note that only the modified and access timestamp is
preserved, the status change time will not be preserved. Thus this
method of modifying timestamp is still unable ot evade MAC time analysis
completely. |
| File type | ELF executable, stripped |
| Functionality |
port scanner |
| Interesting strings
output |
Usage: %s <a-block>
<port> [b-block] [c-block] Invalid a-range Bad port number. Invalid b-range. Invalid c-range. Unable to set O_NONBLOCK %d.%d.%d.%d Invalid IP. ./statdx -d0 %s Lets try to root the %s We continue to h4x0r ... |
| Analysis |
The executable attempts to scan
a range of IP addresses, depending on the number of arguments provided
by the user. When an address with a specific port is open (the
port is specify by the 2nd argument), it will vfork (deduce from strace
output) the program statdx in an attempt to
exploit the host using rpc.statd exploit. |
| File type | ELF executable, stripped |
| Functionality |
DoS tools |
| Interesting strings
output |
Usage: %s srcaddr dstaddr low
high If srcaddr is 0, random addresses will be used GCC: (GNU) 2.7.2.1 |
| Analysis |
The executable attempts to SYN
flood the destination address by sending endless spoofed packets to the
a certain port range of the host. The port range is given by the 3rd and
4th argument. |
| Remarks |
Contains the string "GCC: (GNU)
2.7.2.1", rather than "GCC: (GNU) egcs-2.91.66 19990314/Linux
(egcs-1.1.2 release)" which is commonly found in other binaries. This
suggests that this binary is compiled from a different machine. |
| File type | configuration files |
| Functionality |
sshd/ssh configuration files and
key information |
| Interesting strings
output |
ssh_host_key and
ssh_host_key.pub: root@dev57.msidg.com sshd_config: Port 17985 |
| Analysis |
ssh_host_key and
ssh_host_key.pub This files contain the private and public key of sshd. The presence of the string "root@dev57.msidg.com" indicates that dev57.smsidg.com (64.220.46.57) may be one of the (compromised) hosts under controlled by the hacker. We however did not observed any connections to/from this IP address. ssh_random_seed This file is required by sshd to seed its random number generator. sshd_config sshd configuration file. This file indicates that the sshd is configured to listen on port 17985, perhaps to avoid port scanner attempts to detect the sshd. |
| File type | Shell script |
| Analysis |
Replaces original init script if any. Modifies one of the various startup scripts to call the trojanised init script. These startup scripts include /etc/rc.d/rc.sysinit, /etc/rc.d/rc.local, /etc/rc.d/init.d/boot.local, /etc/inittab |
| File type | ELF executable, stripped |
| Functionality | rpc.statd remote root exploit |
| Interesting strings
output |
Redhat Linux 6.2/6.1/6.0 statdx2 by ron1n <shellcode@hotmail.com> Usage: %s [options] target Available options: -> <argument required> [default behavior] -t attack the server using tcp [udp] -p <port statd listens on> [query] -a <stack address of the buffer> -l <length of the buffer> [1024] -o <offset from buffer> [600] -w <number of words to wipe> [9] -s <timeout in seconds> [5] -n <brute force mode count> [1] -f attack saved ebp [saved eip] -c <"command to execute"> [portbind] -d use a hardcoded <type> |
| Origin |
Probably compiled from statdx.c
by ron1n. A copy of the source code of the exploit can be found at http://packetstormsecurity.org/0008-exploits/statdx.c |
| Analysis |
As per what the strings output
indicates. |
| File type | ELF executable, stripped |
| Functionality |
DoS tools |
| Interesting strings
output |
Vadim v.Ibeta by Luciffer Anybody Registered to: %s -------------------------------- Slashing your angry Vadims at %s, port %d spoofed as %s Unknown host: %s Syntax: %s <host> <port> <spoof> <host> : either hostname or IP address. <port> : any open UDP port number. <spoof> : any real, unused ip. |
| Origin |
As the strings output indicate,
this file is from vadim from Luciffer. A copy of the source code can be found at http://www.vibrasi.net/exploit/vadim.c |
| Analysis |
Send endless UDP packet with
predefined size to destination IP address. Although the help output
indicates that a spoof IP address can be used as the source IP, we did
not manage to get this feature working. Probably, there is some bugs in
the implementation of this feature. |
| File type | ELF executable, stripped |
| Functionality |
sniffer |
| Interesting strings
output |
cant get SOCK_PACKET socket cant get flags cant set promiscuous mode ----- [CAPLEN Exceeded] ----- [Timed Out] ----- [RST] ----- [FIN] %s => %s [%d] eth0 tcp.log cant open log Exiting... |
| Origin |
Probably LinSniffer by Mike
Edulla A copy of the source code can be found at http://packetstormsecurity.org/Exploit_Code_Archive/linsniffer.c. |
| Analysis |
The strings output resembles
error messages generated by LinSniffer. The main purpose is of the
sniffer is to capture password from "clear-text protocol" such as ftp
and telnet. The output, in ASCII, is stored in the file tcp.log |
| File type | Shell script |
| Interesting strings
output |
Verific toate argumentele Introdu ceva , sa scanez Dureaza citeva momente Programul a fost lansat |
| Analysis | Script for compiling and calling
wscan. |
| File type | ELF executable, stripped |
| Functionality |
scanner |
| Interesting strings
output |
uzaj: %s <bloc-A>
<port> [bloc-B] [bloc-C] A eronat. Port incorect. B eronat. C eronat. Nu pot sa setez O_NONBLOCK %d.%d.%d.%d Invalid IP. ./wu -h %s Incerc sa iau %s Ghinion , continui ... Eroare: %s |
| Analysis |
The strings output is similar to that of sc, though in a different language. The executable attempts to scan a range of IP addresses, depending on the number of arguments provided by the user. When an address with a specific port is open (the port is specify by the 2nd argument), it will vfork (deduce from strace output) the program wu. Judging from the comment in the shell script wroot, wu is probably a wu-ftpd exploit program. We, however, do not have the executable wu to verify. |
| File type | ELF executable, stripped |
| Functionality |
Log cleaner |
| Interesting strings
output |
/var/adm/wtmp wtmp.tmp Erase entry (y/n/f(astforward))? Fast forward how many entries? Entries stored: %d Entries removed: %d Now chmod wtmp.tmp and copy over the original %s Usage: utzap -h -f FILE -a -z -b -x -u USER -n USER -e USER -c HOST -h This help -f Use FILE instead of default -a Show all entries found -u Show all entries for USER -b Show NULL entries -e Erase USER completely -c Erase all connections containing HOST -z Show ZAP'd entries -x Attempt to remove ZAP'd entries completely |
| Origin |
Probably lrk5. |
| Analysis |
The strings output bear close
resemblance to strings found in wted.c of lrk5.
The program attempts to delete entries in the wtmp file. |
| attrib |
clean |
pstree |
||
| chattr |
ps |
sshd |
| File type | ELF executable, stripped |
| Functionality |
trojanised ps/pstree |
| Interesting strings
output |
/usr/lib/locale/ro_RO/uboot/etc/procrc |
| Analysis |
Knowing that one class of trojan rely on configuration file to filter the command output, the strings output indicate that "/usr/lib/locale/ro_RO/uboot/etc/procrc" is a probable candidate. After some trial and error, we noted that entries found in /usr/lib/locale/ro_RO/uboot/etc/procrc are filtered from the command output. The format of the configuration file is similar to ROOTKIT_PROCESS_FILE of lrk5. |
| File type | shell script |
| Analysis |
startup script for sshd |