[Full-Disclosure] a little help needed with identifying a rootkit
Feher Tamas
etomcat at freemail.hu
Tue Feb 3 17:39:04 GMT 2004
>The SuSE security lists is having a little discussion about a
>possible hacked SuSE 8.2 machine. There is a rather big
>chance the system has been injected a script which
>downloaded stuff from here:
>http://218.234.171.84/manual/.x/
This is what Kaspersky AV with latest update says:
DO.PL infected: Backdoor.Perl.Doopel
I.TXT infected: Backdoor.PHP.Pokeman
II.TXT infected: Backdoor.PHP.Pokeman
R.PL infected: Backdoor.Perl.Perlooper
RHS infected: Backdoor.Linux.Krepper
CROND infected: Trojan.Linux.Rootkit.o
LOGIN infected: Trojan.Linux.Rootkit.o
PSTREE infected: Trojan.Linux.Rootkit.o
Regards: Tamas Feher.
Full-Disclosure is hosted and sponsored by Secunia.