next up previous
Next: Bonus Question Up: Short analysis of the Previous: The install script

Looks like...

The modus operandi is very similar to the one of the attack presented in scan 13 where a Romanian blackhat known as Becys uses a rootkit (lamerk) to compromise a host. The following actions were executed by the lamerk rootkit:

  1. Installs trojaned versions of netstat, ps, ifconfig and top taken from lrk (linux rootkit).
  2. Creates files /dev/caca (lrk's netstat config. file) and /dev/dsx (lrk's ps and top config file)
  3. Creates folder /dev/ida/.inet and installs, among other things, a sshd daemon (sshdu) and a portsniffer (linsniffer) in the folder.
  4. Creates a shell script in /usr/bin/hdparm.
  5. Modifies /etc/rc.d/rc.sysinit to run hdparm (that is the sshd backdoor and the sniffer) on every boot.
  6. Tries to install a CGI backdoor becys.cgi.
  7. Sends an email to becys@becys.org containing infos about the compromised host.



Guillaume Filion
2001-05-21