turtle rootkit
Clément Lecigne
clemun at gmail.com
Tue Aug 30 10:17:21 UTC 2011
Hi,
2011/8/30 Zoran Kolic <zkolic at sbb.rs>:
> Someone has seen an article on this on PacketStormSecurity?
> http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.gz
> Best regards all
What do you want? It's just a basic rootkit that hooks some specific
entries inside the sysent table. It can be detected by checking if a
device /dev/turtle2dev exists or by sending an ICMP echo request with
a payload starting with a double '_' and if rootkit is loaded no reply
will be returned.
[root at clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1
HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes
[main] memlockall(): No such file or directory
Warning: can't disable memory paging!
--- 127.0.0.1 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
These tricks can be implemented inside rkhunter or/and chkrootkit.
Best regards,
--
Clément LECIGNE,
"In Python, how do you create a string of random characters? Read a Perl file!"
More information about the freebsd-security
mailing list