Re: Compromised - Port 1524

["blazin w" <blazin () mail ru>]

you missed statd which is also a likely culprit, however with this compromise
it appears the kiddie didn't get in by running any script trash. if you study
the history file carefully you'll see he's running synscan on port 1524 which
is a very common backdoor port used by many exploits, you'll also see he's
grepping for "#" which will indicate to him that the open port on 1524 has a
root shell binded to it which kids often leave open when exploiting a host.
this is probably how he found your system, ie already rooted by a previous
intruder.

-blazin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com