yes
looking at the code it has a full, threaded server the code is huge (has zlib and glibc included) and the coding style is all over the place (Get_File_Size, updatesrv, MySend etc; granted some could be from zlib) there are syn and dns flood functions, a GetRandFileName function and a million more my novice guess is it's a cross platform botnet bdw ht, F6->elf/image if you want to check it out funny that it makes slackware rc files (BSD style init) edit:to add as written in the link metaschima posted, to quote "(But I get infected after a while again, which I have not solved yet) " if that happens, you can use audit (from SBo) to find out what brought the files back to do this goes something like this: auditd auditctl -w /path/to/dir #to add the directory to watch then when the files are created ausearch -f /foo/bar/file_created #to find out what process created it this uses the kernel audit framework if it isn't in the log then the file was created before the daemon started to remove a watch use auditctl -W /path/to/dir more on http://security.blogoverflow.com/201...ion-to-auditd/ |
Quote:
files/rkhunter?revision=1.508 files/signatures/RKH_iptablex.ldb?revision=1.1 |
Quote:
Contact Info visibility? I don't know about that one. |
All times are GMT -5. The time now is 09:11 PM. |