gogusan Posted July 16, 2011 Report Posted July 16, 2011 (edited) Download: Ncom Libcall Hijacking Rootkit ? Packet StormFor every incoming connection on any port, the source port is checked. If it is in the 61001 - 61010 range, the connection is taken over by the rootkit. Upon taking over, the rootkit asks for a password ("kaka", in this specific case), and then drops a root shell:This rootkit can be hard to detect, as it requires the attacker to be doing something on the system at the very moment you’re checking in order to be detected by normal means (see: unhide, rkhunter, chkrootkit, etc)This way of backdooring is very smart, because any open port can be used to access the rootkit.Unlike other notable examples (such as suckit), a firewall wouldn’t deny the attacker access to the rooted box.cititi documentatia. foarte interesant Edited July 16, 2011 by gogusan Quote
