Security Incidents mailing list archives

rooted with lots of files in /dev/sdc0/.nfs01

From: jeff.macdonald () VIRTUALBUILDER COM (Jeff Macdonald)
Date: Wed, 23 Feb 2000 21:49:47 -0500


Has anyone seen this?

Some files of interest:

[root@hacked .nfs01]# ls
amdex             ssh_config        sshbd.tgz         t0rnparse
rpcscan           ssh_host_key      sshconfig.tgz     t0rnsniff
sauber            ssh_host_key.pub  sshd
ssh               ssh_random_seed   sshd_config

Also, ps showed the programs scan and z0ne. But doing a find for those
files turned up no results, even after replacing find. However, after
rebooting, find found the files.

So this leads me to believe that there was also a kernel module hiding
searches for scan and z0ne.
To top things off, /etc/rc.d/rc.sysinit was appended with this:

#Inetd startup
if [ -x /usr/sbin/in.inetd ]; then
     /usr/sbin/in.inetd -s
fi

which was listening on port 511. A strings shows this string of interest:

leeto's socket demon, v1.0 (c) spam 1998.

So, does anyone know what the kernel module name might be?

Current thread:

rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
  - Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
  - Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
  - Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
  - Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)