Security Incidents mailing list archives
What is this?
From: "Miller, William T DISC4/Sytex" <William.Miller () HQDA ARMY MIL>
Date: Tue, 21 Nov 2000 08:33:08 -0500
Looks like t0rn. I have just finished a white paper on t0rn and what to look for. Although, it does look like you have a modified version of t0rn. When the paper is published I will foward a link to the list. Toby Hola lista, my linux server running redhat 6.2 was made behind compromised few month ago(statd i think).. I was only notified recently because there was some scanning going on from there. here is info.. dir : /lib/ldsyst.so = tkprs tksnf tksb system dir : /dev/tlpm = 234345 (which have my root password) dir : /lib/ldlip.tk = shdcf shhk shhk.pub shrs there is ssh processing listening on port 47016 and is behind ssh 1.2.26.. it was hidden as /usr/sbin/lpdq. i have checked this files with strings name | grep / and have found nothing.. dir find in.fingerd ls netstat pstree syslogd ifconfig login lsof passwd top su locate i run chkrootkit from packetstorm and this is only strange thing it give me ... Checking `ifconfig'...INFECTED Checking `sniffer'... eth0 is PROMISC eth1 is not promisc Checking `lkm'...You have 5 process hidden for ps command Warning: Possible LKM Trojan instaled any idea ? Mucho Gracias, --- Roberto
Current thread:
- What is this? Miller, William T DISC4/Sytex (Nov 22)