zk rootkit

Andy Green fedora at warmcat.com
Fri Nov 21 15:50:49 UTC 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 21 November 2003 12:18, Grosswiler Roger wrote:
> hy guys,
>
> letting chkrootkit on my server lets me know, that i have a 'possible
> installation of the zk rootkit on my server. does anybody know, how i can
> find out about this rootkit, where the files are and what i can do against
> it?

I get the same report here, its a script problem I believe, not any kind of 
backdoor.  Here's the bit of the script

   if [ -f ${ROOTDIR}usr/bin/run -o -f ${ROOTDIR}etc/sysconfig/console/load.zk 
]; then
         echo "Possible ZK rootkit installed"

Here's what happens when you run that

[agreen at fastcat console]$ /usr/bin/run -o -f /etc/sysconfig/console/load.zk
/usr/bin/run: invalid option -- o

Here's what's in the bad place

[agreen at fastcat audio]$ cd /etc/sysconfig/console
[agreen at fastcat console]$ ll
total 0

Here's where run implies there IS no -o option

[agreen at fastcat console]$ /usr/bin/run --help
Usage: run [OPTIONS] { COMMAND [ARGS] | PROCESS_SPECIFIER }
Set scheduling parameters and CPU bias for a new process or a list
of existing processes.

OPTIONS can be one or more of the following options:

   -b, --bias=LIST        Set the CPU bias to the LIST of CPUs;
                          CPUs are numbered starting from 0
   -s, --policy=POLICY    Set the scheduling policy to POLICY
                          (SCHED_OTHER, SCHED_RR or SCHED_FIFO)
   -P, --priority=LEVEL   Set the scheduling priority to LEVEL;
                          SCHED_FIFO and SCHED_RR range: 1 to 99
                          SCHED_OTHER: only priority 0 is valid
   -q, --quantum=QUANTUM  Set the SCHED_RR quantum to QUANTUM;
                          use --quantum=list for valid settings
   -N, --negate           Negate the CPU bias list; all CPUs
                          except those listed will be selected
   -f, --fork             Fork COMMAND and return immediately
   -c, --copies=COUNT     Run COUNT identical copies of COMMAND
   -i, --info             Output process environment information
   -V, --version          Output version information and exit
   -v, --verbose          Output information before each action
   -h, --help             Display this help and exit

PROCESS_SPECIFIER is exactly one of the following options:

   -p, --pid=LIST         Specify LIST of existing PIDs to modify
   -g, --group=LIST       Specify LIST of process groups to modify; all
                          existing processes in the groups will be modified
   -u, --user=LIST        Specify LIST of users to modify; all existing
                          processes owned by the users will be modified
   -n, --name=LIST        Specify LIST of existing process names to modify

Multiple comma separated values can be specified for all LISTs and ranges
are allowed where appropriate (e.g. "run -b 0,2-5 autopilot").

See the run(1) man page for more information.
[agreen at fastcat console]$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/vjRcjKeDCxMJCTIRAqXjAJ9bbmBHOf/r9dhgxzP9GPwGO71i8gCfVPph
urQhhUpjmzRhKJP4aSjYkLA=
=tpSe
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list