Hi,
2011/8/30 Zoran Kolic <zkolic@sbb.rs>:> Someone has seen an article on this on PacketStormSecurity?
> http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.gz
> Best regards all
What do you want? It's just a basic rootkit that hooks some specific
entries inside the sysent table. It can be detected by checking if a
device /dev/turtle2dev exists or by sending an ICMP echo request with
a payload starting with a double '_' and if rootkit is loaded no reply
will be returned.
[root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo"
-1
HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes
[main] memlockall(): No such file or directory
Warning: can't disable memory paging!
--- 127.0.0.1 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
These tricks can be implemented inside rkhunter or/and chkrootkit.
Best regards,
--
Cl?ment LECIGNE,
"In Python, how do you create a string of random characters? Read a Perl
file!"