[ale] New Linux Rootkit
JD
jdp at algoloma.com
Wed Nov 21 05:46:10 EST 2012
> If you want the technical details,
> see http://blog.crowdstrike.com/2012/11/http-iframe-injecting-linux-rootkit.html. But
> basically, the version in the wild does a terrible job of hiding itself. It
> fails to hide from ps, instead showing kernel threads of [get_http_inj_fr] and
> [write_startup_c] in ps. That and the traces in /etc/rc.local are probably
> enough to find the current incarnation easily. That being said, there's nothing
> on how the attacker is getting root in the first place, and I suspect new
> versions with better hiding will come out soon.
Looks like time to fire up cssh to have a wide look at all the rc.local on machines.
More information about the Ale
mailing list