Security Incidents mailing list archives
rooted with lots of files in /dev/sdc0/.nfs01
From: jeff.macdonald () VIRTUALBUILDER COM (Jeff Macdonald)
Date: Wed, 23 Feb 2000 21:49:47 -0500
Has anyone seen this? Some files of interest: [root@hacked .nfs01]# ls amdex ssh_config sshbd.tgz t0rnparse rpcscan ssh_host_key sshconfig.tgz t0rnsniff sauber ssh_host_key.pub sshd ssh ssh_random_seed sshd_config Also, ps showed the programs scan and z0ne. But doing a find for those files turned up no results, even after replacing find. However, after rebooting, find found the files. So this leads me to believe that there was also a kernel module hiding searches for scan and z0ne. To top things off, /etc/rc.d/rc.sysinit was appended with this: #Inetd startup if [ -x /usr/sbin/in.inetd ]; then /usr/sbin/in.inetd -s fi which was listening on port 511. A strings shows this string of interest: leeto's socket demon, v1.0 (c) spam 1998. So, does anyone know what the kernel module name might be?
Current thread:
- rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
- Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
- Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
- Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
- Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)