Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Rootkit or trojan

From: "Jason Robertson" <jason () ifuture com>
Date: Mon, 22 Apr 2002 23:37:45 -0400
Okay I am wondering if anyone has seen a rootkit or trojan with the 
following files (please note, I do not have access to this machine 
directly, so this is only from a remote cursory view)
The OS is Sun OS 2.5 (I know I know)
First the executable

/usr/bin/xntpx was created this program seems to be some icmp utility, 
which creates a large stream of ICMP traffic, the traffic we noticed 
was ICMP packets > 1024 to address 0.0.0.0

Second /tmp/x which was run with xinetd /tmp/x

Third /var/adm/* had the mode 666

That was all of the information I had direct access too, though if I 
remember there was also a trojan sshd using the name ssld, and modcheck 
if I remember running as well

Jason
--
Jason Robertson                
Now at the Nation Research Council.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: