IMPORTANT: This rootkit include the source code and binaries are compiled on target system, so it will most probably run on all linux distros without any segmentation faults. Installation script of this rootkit do not reset the timestamps of files it replace, So you can try to check the last modified date of files to detect file replacement.

Symtomps

When you run a hijacked command you may or may not get this error
sh: /usr/lib/ldlibps.so: No such file or directory

It is possible that you never get any of above errors. :(

Confirm the presence of Flea

Look for /usr/lib/ldlibps.so

Look for /usr/lib/ldlibns.so

Look for /usr/lib/ldlibpst.so

Look for /usr/lib/ldlibdu.so

Look for /lib/security/.config/ssh/

Ok I think enough evidence

Full Flea Finger Prints

Advanced users click here to see full installation script of flea rootkit
click here to see the list of files included in this original rootkit
It replace these command files
/bin/ps
/bin/netstat
/usr/bin/pstree
/usr/bin/locate
/usr/bin/slocate
/bin/login

It Add these files It put your original binaries with a new name under /usr/lib/
/bin/ps as /usr/lib/ldlibps.so
/bin/netstat as /usr/lib/ldlibns.so
/usr/bin/pstree as /usr/lib/ldlibpst.so
/usr/bin/du as /usr/lib/ldlibdu.so
/usr/bin/slocate as /usr/lib/ldlibct.so
Configuration files related to trojanized ssh daemon are saved to
/lib/security/.config/ssh/
/lib/security/.config/ssh/ssh_host_key
/lib/security/.config/ssh/ssh_host_key.pub
/lib/security/.config/ssh/ssh_random_seed
/lib/security/.config/ssh/sshd_config

An SSHD daemon will be placed as /usr/bin/ssh2d

/etc/rc.d/rc.sysinit will be modified to run ssh2d on boot

UnLike shv4 and tornkit the binaries of this rootkit will not access any header file during execution to include the list of files and processes to hide. The list of files and process which need to remain hidden can be specified in header files included in the rootkit before the compilation.

Flea Rootkit

Symtomps

Confirm the presence of Flea

Full Flea Finger Prints