The modus operandi is very similar to the one of the attack presented in scan 13 where a Romanian blackhat known as Becys uses a rootkit (lamerk) to compromise a host. The following actions were executed by the lamerk rootkit:
/dev/caca
(lrk's netstat config. file) and /dev/dsx
(lrk's ps and top config file)/dev/ida/.inet
and installs, among other things, a sshd daemon (sshdu
) and a portsniffer (linsniffer
) in the folder./usr/bin/hdparm
./etc/rc.d/rc.sysinit
to run hdparm (that is the sshd backdoor and the sniffer) on every boot.becys.cgi
.becys@becys.org
containing infos about the compromised host.