What is this?

["Miller, William T DISC4/Sytex" <William.Miller () HQDA ARMY MIL>]

Looks like t0rn. I have just finished a white paper on t0rn and what to look
for. Although, it does look like you have a modified version of t0rn. When
the paper is published I will foward a link to the list.

        
Toby



Hola lista,
my linux server running redhat 6.2 was made behind
compromised few month ago(statd i think).. I was
only notified recently because there was some
scanning going on from there.

here is info..

dir : /lib/ldsyst.so =
tkprs    tksnf    tksb  system

dir : /dev/tlpm =
234345 (which have my root password)

dir : /lib/ldlip.tk =
shdcf     shhk      shhk.pub  shrs

there is ssh processing listening on port 47016 and is
behind ssh 1.2.26.. it was hidden as /usr/sbin/lpdq.

i have checked this files with strings name | grep /
and have found nothing..

dir  find  in.fingerd  ls  netstat  pstree   syslogd
ifconfig  login   lsof  passwd  top  su   locate


i run chkrootkit from packetstorm and this is only
strange thing it give me ...

Checking `ifconfig'...INFECTED

Checking `sniffer'...
eth0 is PROMISC
eth1 is not promisc

Checking `lkm'...You have     5 process hidden for ps
command Warning: Possible LKM Trojan instaled

any idea ?


Mucho Gracias,
--- Roberto