Re: Is this a compromise and how?

From: Igmar Palsenberg (maillist@chello.nl)
Date: Thu Dec 14 2000 - 09:49:00 EST

Next message: Justin T. Gibbs: "Re: Adaptec AIC7XXX v 6.0.6 BETA Released"
Previous message: Stefan Becker: "Re: IDE hang when using v4l (bttv) on all kernels."
In reply to: brian@worldcontrol.com: "Is this a compromise and how?"
Next in thread: Dr. Kelsey Hudson: "Re: Is this a compromise and how?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Pretty cool huh?
>
> Let me know if you would like a copy of the code.
>
> A quick strace shows that it binds to port 24000.
>
> It also contains a list of 5 IP addrs. I suspect it doesn't
> broadcast, but allows people in from those IPs.
>
> Anyone know what has happened? I religiously install the redhat
> updates, and am subscribed to the CERT advistors and install
> the fixes the moment I get them.
>
> The system was RedHat 6.2, linux 2.2.17pre14 at the time the
> breakin occured.
>
> I've been running firewalled with only services I provide turned
> on for access, and in /etc/inetd.conf.
>
> What is keeping strlib.h from appearing ls's? A hacked ls command?

Yep. Looks like a rootkit to me.

Igmar

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Justin T. Gibbs: "Re: Adaptec AIC7XXX v 6.0.6 BETA Released"
Previous message: Stefan Becker: "Re: IDE hang when using v4l (bttv) on all kernels."
In reply to: brian@worldcontrol.com: "Is this a compromise and how?"
Next in thread: Dr. Kelsey Hudson: "Re: Is this a compromise and how?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Dec 15 2000 - 21:00:29 EST