Hi there, i've a old suse box (6.2) which is hacked and rootkitt'ed. the rootkit seams to be a littlebit shitty .. but has a backdoor etc.. i dunno the name of it and found only warnings about the kit while searching the net. if somebody of you have/found more informations about this kit, would be nice to hear from you :) All informations i have is: it creates a directory: /usr/bin/duarawkz has a udp backdoor and uses scripts to hide himself. thanks PS: i don't administrate this box ;) i'll never have a old system like that... horrible.. -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
Hi, this is a rootkit used by the groups dua and MnM operating on ircnet dua.mf is a copy of the well known mirkforce tool, for loading clones onto an irc network.. it works by grabbing as many ip`s as it can from your C-class, and making connections to irc from them. dua.ethclean is a tool to remove the alias interfaces, since mirkforce`s own removing code fails on 2.2.x kernels. dua.glox is a ddos tool, either the gl0xx control agent, or a "cancerserver" see: http://archives.neohapsis.com/archives/incidents/2001-03/0111.html regrds ray Sven Michels wrote:
Hi there,
i've a old suse box (6.2) which is hacked and rootkitt'ed. the rootkit seams to be a littlebit shitty .. but has a backdoor etc.. i dunno the name of it and found only warnings about the kit while searching the net. if somebody of you have/found more informations about this kit, would be nice to hear from you :) All informations i have is: it creates a directory: /usr/bin/duarawkz has a udp backdoor and uses scripts to hide himself.
thanks
PS: i don't administrate this box ;) i'll never have a old system like that... horrible..
participants (2)
-
ray@holmwood.u-net.com -
Sven Michels