LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-16-2006, 09:45 PM   #1
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Rep: Reputation: 31
dreams rootkit


Can anyone give me any info about the dreams rootkit? All I have found is that it exploits a gzip overflow.

Thanks,
 
Old 07-17-2006, 03:50 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Looking at this you can probably figure out functionality:
/dev/ida/.hpd
/usr/bin/initrd
/dev/ttyoa
/dev/ttyof
/dev/ttyop
/usr/bin/sense
/usr/bin/sl2
/usr/bin/logclear
/usr/bin/(swapd)
/usr/bin/snfs
/usr/lib/libsss
 
Old 07-17-2006, 12:55 PM   #3
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
I'm not sure if I'm infected or not. So would reading thru those still tell me what I want to know......
 
Old 07-17-2006, 02:55 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
I'm not sure if I'm infected or not. So would reading thru those still tell me what I want to know......
Probably not. (BTW, next time better post something along the lines of "My box got infected".) Show us what you've got and for how long this has been going on.
 
Old 07-17-2006, 03:43 PM   #5
neocontrol
Member
 
Registered: Jul 2005
Posts: 273

Original Poster
Rep: Reputation: 31
I ran rootkit hunter on the system. It came back with possible dreams rootkit. As for the server itself, lots of files where all highlighted in red. 15 processes where hidden. If i ran a command such as ps -A I would get the help screen for ps. If I ran just ps, it would return about 6 processes, most of them things that I was currently doing, such as, ssh, su, bash, ps.

Some programs such as nagios where not work ing correctly any more.

I think it was more of a problem of our building. They turned off the AC on this incredibly hot 100 degree weekend, and our extra AC units couldnt keep up. My partner came in and said the server room was 95 degrees. Servers shut themselves down and what not.

We didn't know if that was a false positve , so we googled up dreams rootkit, and i searched on here, and found nothing really useful.

We are setting up anohter system, so it's not the biggest deal. Just looking for some info.
 
Old 07-17-2006, 03:48 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Well, I'd still be interested in any output you have.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Distribution of my dreams! EXIST? javb General 12 06-15-2005 03:46 PM
Possible rootkit? bleunuit Linux - Security 4 05-18-2005 03:21 PM
suse 9.1, wpc11 v.4, & my dreams of leaving windows behind me zhuangshi Linux - Wireless Networking 12 07-22-2004 07:06 PM
7k salary or Woman of Dreams HadesThunder General 14 05-13-2004 01:26 AM
Digital Dreams Epsilon 1.3 USB Camera and Mandrake 9 XavierP Linux - Hardware 0 12-21-2002 08:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration