Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] Suscpicious IRCd connections


/*
 * First off - no flames for using Outlook Distress please - my
 * Linux boxes are in a container on a ship or on a dock at the moment
 * so for the moment I'm using my wife's laptop.. :-)
 */

> Not good. There're two syslogd binaries:
[...]

Hmm, certainly the Adore rootkit creates that during install, but it's not
the only one to use that trick. A report on a Honeyport (RH6.2) that's been
Adore'd is at:

http://www.lucidic.net/whitepapers/sholcroft-4.1-2002.html

Interestingly, he mentions that the person who took over that box was using
it to bounce IRC connections off of (to legit IRC servers, not imposters
like you were seeing though) and talking to others on Romanian IRC channels.
Your logs of DNS queries show lookups to some Romanian sites too (though not
only Romanian).

There's another report of another rootkit (lrk4) that also dumped a
/usr/bin/syslogd at:

http://msgs.securepoint.com/cgi-bin/get/bugtraq0001/54.html

Hey ho.  Sounds like a backup and reformat job to me.

If you want more help you could try the incidents list out of securityfocus,
I lurked there quite a bit whilst working in the UK and they can be quite
helpful there, especially if you've got something that looks a bit out of
the ordinary.

Best of luck!
Chris