Security Incidents mailing list archives
Rootkit or trojan
From: "Jason Robertson" <jason () ifuture com>
Date: Mon, 22 Apr 2002 23:37:45 -0400
Okay I am wondering if anyone has seen a rootkit or trojan with the following files (please note, I do not have access to this machine directly, so this is only from a remote cursory view) The OS is Sun OS 2.5 (I know I know) First the executable /usr/bin/xntpx was created this program seems to be some icmp utility, which creates a large stream of ICMP traffic, the traffic we noticed was ICMP packets > 1024 to address 0.0.0.0 Second /tmp/x which was run with xinetd /tmp/x Third /var/adm/* had the mode 666 That was all of the information I had direct access too, though if I remember there was also a trojan sshd using the name ssld, and modcheck if I remember running as well Jason -- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- illogic rootkit Dan Irwin (Apr 19)
- <Possible follow-ups>
- RE: illogic rootkit Dan Irwin (Apr 21)
- RE: illogic rootkit Dan Irwin (Apr 21)
- Rootkit or trojan Jason Robertson (Apr 23)