From owner-freebsd-security@FreeBSD.ORG Tue Aug 30 10:17:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CC8A106564A for ; Tue, 30 Aug 2011 10:17:21 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2FE7B8FC13 for ; Tue, 30 Aug 2011 10:17:20 +0000 (UTC) Received: by gxk28 with SMTP id 28so6623472gxk.13 for ; Tue, 30 Aug 2011 03:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=4dxI7TLYFCuTI/xnOaXqWIjnkK1zGM7Rhg7CrttBYlg=; b=OpZ8Psdzwg3g2+89XGmB6UXGTSE5xLdQXcPm4cbk6+PE6hOhnwkWtFTA0NVaYQzFoz 8dyG2V65pcKqR8bhkY3gXCTbWySscZ4XN7eqKMniW7XDdTzHn+lz3CWrsCzja8Ey16mm eoRgr+ow/6BGj866NMaOAXHzk6LW62c4mKKXU= MIME-Version: 1.0 Received: by 10.236.146.65 with SMTP id q41mr31712705yhj.84.1314697992589; Tue, 30 Aug 2011 02:53:12 -0700 (PDT) Received: by 10.236.110.34 with HTTP; Tue, 30 Aug 2011 02:53:12 -0700 (PDT) In-Reply-To: <20110830033854.GA1064@faust> References: <20110830033854.GA1064@faust> Date: Tue, 30 Aug 2011 11:53:12 +0200 Message-ID: From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= To: Zoran Kolic Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: turtle rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2011 10:17:21 -0000 Hi, 2011/8/30 Zoran Kolic : > Someone has seen an article on this on PacketStormSecurity? > http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.= gz > Best regards all What do you want? It's just a basic rootkit that hooks some specific entries inside the sysent table. It can be detected by checking if a device /dev/turtle2dev exists or by sending an ICMP echo request with a payload starting with a double '_' and if rootkit is loaded no reply will be returned. [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): No such file or directory Warning: can't disable memory paging! --- 127.0.0.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss These tricks can be implemented inside rkhunter or/and chkrootkit. Best regards, --=20 Cl=E9ment LECIGNE, "In Python, how do you create a string of random characters? Read a Perl fi= le!"