Security Incidents mailing list archives
Re: New maniac rootkit
From: "Aropalo Tommi" <tommi.aropalo () kolumbus fi>
Date: Fri, 22 Jun 2001 17:18:02 +0300
Look for the file psybnc.conf. There you can find the host they are using to connect your machine. USER1.OP.ENTRY= something There you can find witch channels they use and so on. -Tommi ----- Original Message ----- From: "Chris Huseman" <ChrisH () A-t-g com> To: "'Andrew Heath'" <ah228 () cornell edu> Cc: <incidents () securityfocus com> Sent: Thursday, June 21, 2001 4:28 PM Subject: RE: New maniac rootkit
-rwxr-xr-x 1 root root 44313 Apr 2 15:24 bnc - Bot Net Client? bnc.conf mentions port 6667 -rw-r--r-- 1 root ftp 52 May 11 08:19 bnc.conf - bnc's config fileI also know it's making IRC connections, plus has at least one rootshell running. I can't confirm this without modifying bits of the box, to replace ps with a known good copy, and I can't do that until one of my colleagues looks at it to get first hand experience.BNC is an IRC proxy. See: http://www.gotbnc.com You may be able to get more info on your intruder by seeing who it is that is using that bnc.. find a clean copy of netstat and look at the port bnc.conf says its listening on. -chris
Current thread:
- New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
- Re: New maniac rootkit Aropalo Tommi (Jun 22)