Hi, 2011/8/30 Zoran Kolic <zkolic@sbb.rs>: > Someone has seen an article on this on PacketStormSecurity? > http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.= gz > Best regards all What do you want? It's just a basic rootkit that hooks some specific entries inside the sysent table. It can be detected by checking if a device /dev/turtle2dev exists or by sending an ICMP echo request with a payload starting with a double '_' and if rootkit is loaded no reply will be returned. [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): No such file or directory Warning: can't disable memory paging! --- 127.0.0.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss These tricks can be implemented inside rkhunter or/and chkrootkit. Best regards, --=20 Cl=E9ment LECIGNE, "In Python, how do you create a string of random characters? Read a Perl fi= le!" _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"