Security Incidents mailing list archives
Linux - Possible trojan or other? (fwd)
From: Hal Flynn <flynn () SECURITYFOCUS COM>
Date: Mon, 18 Dec 2000 11:49:08 -0800
----------------- Original message (ID=8A207993) (40 lines) ------------------- Return-Path: <owner-focus-linux () securityfocus com> Delivered-To: focus-linux () lists securityfocus com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id E4F3624C5A5 for <focus-linux () lists securityfocus com>; Mon, 18 Dec 2000 11:30:45 -0800 (PST) Received: (qmail 22534 invoked by alias); 18 Dec 2000 19:30:44 -0000 Delivered-To: Focus-Linux () SECURITYFOCUS COM Received: (qmail 22528 invoked from network); 18 Dec 2000 19:30:44 -0000 Received: from unknown (HELO ns1.savernake.com) (194.202.204.1) by mail.securityfocus.com with SMTP; 18 Dec 2000 19:30:44 -0000 Received: from mail-exchange-1.savernake.com (mail-exchange-1.savernake.com [194.202.204.65]) by ns1.savernake.com (8.9.3/8.8.7) with ESMTP id TAA01160 for <Focus-Linux () SECURITYFOCUS COM>; Mon, 18 Dec 2000 19:34:46 GMT Received: by mail-exchange-1.savernake.com with Internet Mail Service (5.5.2650.21) id <YZCYPR5G>; Mon, 18 Dec 2000 19:25:35 -0000 Message-ID: <A19B90E923EDD311A2470008C7D21F5024EC69 () mail-exchange-1 savernake com> From: Mark Armitage <mark.armitage () savernake com> To: "'Focus-Linux () SECURITYFOCUS COM'" <Focus-Linux () SECURITYFOCUS COM> Subject: Linux - Possible trojan or other? Date: Mon, 18 Dec 2000 19:25:32 -0000 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" I have found a set of replacement files and scripts in /usr/man/man1/m1x on one of my linux boxes. (redhat 6.0) a replacement for in.idnetd, ps, cplogd, tcpdmatch, tcpdchk, tcpd, named, and klogd, and some scripts which respawn tcplogd and make it appead as [httpd] /n tcplogd in a ps -x listing. This machine was investigated for sending out large quantities of packets onto the network (unknown destinations) periodically. Any help greatly appreciated, if you would like a tarball of the files please email me directly. Mark.
Current thread:
- Linux - Possible trojan or other? (fwd) Hal Flynn (Dec 18)