Date: Tue, 30 Aug 2011 11:53:12 +0200 From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= <clemun@gmail.com> To: Zoran Kolic <zkolic@sbb.rs> Cc: freebsd-security@freebsd.org Subject: Re: turtle rootkit Message-ID: <CAKSJdAD7=eswaD%2BmcZ6jWdVrZxpGuuP3iaHFrgPT556pHEE6EA@mail.gmail.com> In-Reply-To: <20110830033854.GA1064@faust> References: <20110830033854.GA1064@faust>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, 2011/8/30 Zoran Kolic <zkolic@sbb.rs>: > Someone has seen an article on this on PacketStormSecurity? > http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.= gz > Best regards all What do you want? It's just a basic rootkit that hooks some specific entries inside the sysent table. It can be detected by checking if a device /dev/turtle2dev exists or by sending an ICMP echo request with a payload starting with a double '_' and if rootkit is loaded no reply will be returned. [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): No such file or directory Warning: can't disable memory paging! --- 127.0.0.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss These tricks can be implemented inside rkhunter or/and chkrootkit. Best regards, --=20 Cl=E9ment LECIGNE, "In Python, how do you create a string of random characters? Read a Perl fi= le!"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKSJdAD7=eswaD%2BmcZ6jWdVrZxpGuuP3iaHFrgPT556pHEE6EA>