Security Incidents mailing list archives
hpd, afb, sc, and sn
From: Gordon Chamberlin <glac () visualize com>
Date: 20 Dec 2002 14:11:31 -0700
I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked? The files: /usr/bin/hpd /usr/bin/afb /usr/bin/sn The following line is in /etc/rc.local: /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null The contents of hpd are: #!/bin/sh /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null namp reports the following ports open: Port State Service 5/tcp open rje 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 443/tcp open https 808/tcp open unknown 1024/tcp open kdm 3306/tcp open mysql 7000/tcp open afs3-fileserver 8009/tcp open ajp13 According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ... I copied a good version of ps in and found the two afb processes running. Anyone know about this hack, what afb does and/or how they usually get in? Embarrassedly, -Gordon -- Gordon Chamberlin Software Architect Visualize, Inc. http://www.visualize.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)