zk rootkit
Andy Green
fedora at warmcat.com
Fri Nov 21 15:50:49 UTC 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Friday 21 November 2003 12:18, Grosswiler Roger wrote:
> hy guys,
>
> letting chkrootkit on my server lets me know, that i have a 'possible
> installation of the zk rootkit on my server. does anybody know, how i can
> find out about this rootkit, where the files are and what i can do against
> it?
I get the same report here, its a script problem I believe, not any kind of
backdoor. Here's the bit of the script
if [ -f ${ROOTDIR}usr/bin/run -o -f ${ROOTDIR}etc/sysconfig/console/load.zk
]; then
echo "Possible ZK rootkit installed"
Here's what happens when you run that
[agreen at fastcat console]$ /usr/bin/run -o -f /etc/sysconfig/console/load.zk
/usr/bin/run: invalid option -- o
Here's what's in the bad place
[agreen at fastcat audio]$ cd /etc/sysconfig/console
[agreen at fastcat console]$ ll
total 0
Here's where run implies there IS no -o option
[agreen at fastcat console]$ /usr/bin/run --help
Usage: run [OPTIONS] { COMMAND [ARGS] | PROCESS_SPECIFIER }
Set scheduling parameters and CPU bias for a new process or a list
of existing processes.
OPTIONS can be one or more of the following options:
-b, --bias=LIST Set the CPU bias to the LIST of CPUs;
CPUs are numbered starting from 0
-s, --policy=POLICY Set the scheduling policy to POLICY
(SCHED_OTHER, SCHED_RR or SCHED_FIFO)
-P, --priority=LEVEL Set the scheduling priority to LEVEL;
SCHED_FIFO and SCHED_RR range: 1 to 99
SCHED_OTHER: only priority 0 is valid
-q, --quantum=QUANTUM Set the SCHED_RR quantum to QUANTUM;
use --quantum=list for valid settings
-N, --negate Negate the CPU bias list; all CPUs
except those listed will be selected
-f, --fork Fork COMMAND and return immediately
-c, --copies=COUNT Run COUNT identical copies of COMMAND
-i, --info Output process environment information
-V, --version Output version information and exit
-v, --verbose Output information before each action
-h, --help Display this help and exit
PROCESS_SPECIFIER is exactly one of the following options:
-p, --pid=LIST Specify LIST of existing PIDs to modify
-g, --group=LIST Specify LIST of process groups to modify; all
existing processes in the groups will be modified
-u, --user=LIST Specify LIST of users to modify; all existing
processes owned by the users will be modified
-n, --name=LIST Specify LIST of existing process names to modify
Multiple comma separated values can be specified for all LISTs and ranges
are allowed where appropriate (e.g. "run -b 0,2-5 autopilot").
See the run(1) man page for more information.
[agreen at fastcat console]$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/vjRcjKeDCxMJCTIRAqXjAJ9bbmBHOf/r9dhgxzP9GPwGO71i8gCfVPph
urQhhUpjmzRhKJP4aSjYkLA=
=tpSe
-----END PGP SIGNATURE-----
More information about the users
mailing list