[ale] New Linux Rootkit

Jim Kinney jim.kinney at gmail.com
Tue Nov 20 15:41:03 EST 2012


Keep in mind most rootkits replace key binaries to stay hidden. So ps
ignores the Trojan apps running, etc.
I keep a static compiled toolkit on cd for just such occasions.
On Nov 20, 2012 3:13 PM, "Jay Lozier" <jslozier at gmail.com> wrote:

>  On 11/20/2012 02:18 PM, David Tomaschik wrote:
>
> Looks like it's targeting 64-bit Debian:
> https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
>
>  --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com
>
> Quick question - how does determine if the rootkit is running? I tried ps
> -u foo and did not see any listings for its processes. Also, the article
> was some what confusing about who is at risk. The kernel mentioned is used
> by Debian but it is an older version (2 something) not a 3 series and it is
> not clear to me if that is important.
>
> I am using Mint 13 64 bit
>
> --
> Jay Lozierjslozier at gmail.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20121120/0783becb/attachment.html>


More information about the Ale mailing list