Hi, 2011/8/30 Zoran Kolic <[email protected]>: > Someone has seen an article on this on PacketStormSecurity? > http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.gz > Best regards all
What do you want? It's just a basic rootkit that hooks some specific entries inside the sysent table. It can be detected by checking if a device /dev/turtle2dev exists or by sending an ICMP echo request with a payload starting with a double '_' and if rootkit is loaded no reply will be returned. [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): No such file or directory Warning: can't disable memory paging! --- 127.0.0.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss These tricks can be implemented inside rkhunter or/and chkrootkit. Best regards, -- Clément LECIGNE, "In Python, how do you create a string of random characters? Read a Perl file!" _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
