Security Incidents mailing list archives
what is this ?
From: Roberto <cinini () TERRA ES>
Date: Sat, 18 Nov 2000 15:40:37 -0000
Hola lista, my linux server running redhat 6.2 was made behind compromised few month ago(statd i think).. I was only notified recently because there was some scanning going on from there. here is info.. dir : /lib/ldsyst.so = tkprs tksnf tksb system dir : /dev/tlpm = 234345 (which have my root password) dir : /lib/ldlip.tk = shdcf shhk shhk.pub shrs there is ssh processing listening on port 47016 and is behind ssh 1.2.26.. it was hidden as /usr/sbin/lpdq. i have checked this files with strings name | grep / and have found nothing.. dir find in.fingerd ls netstat pstree syslogd ifconfig login lsof passwd top su locate i run chkrootkit from packetstorm and this is only strange thing it give me ... Checking `ifconfig'...INFECTED Checking `sniffer'... eth0 is PROMISC eth1 is not promisc Checking `lkm'...You have 5 process hidden for ps command Warning: Possible LKM Trojan instaled any idea ? Mucho Gracias, --- Roberto
Current thread:
- what is this ? Roberto (Nov 21)