Security Incidents mailing list archives
DoS Tool Identification
From: Seth Milder <mrseth () physics gmu edu>
Date: Wed, 25 Feb 2004 15:28:17 -0500
Does anyone know what this might be? Here is the ps and lsof identification: root 6543 26.0 0.0 1336 276 ? SN Feb24 351:37 httpd 10000 149.xxx.xxx.xxx 113 [root () xxx xxx xxx xxx httpd]# lsof -p 6543 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME httpd 6543 root cwd DIR 8,23 0 420993 /tmp/.x (deleted) httpd 6543 root rtd DIR 8,2 4096 2 / httpd 6543 root txt REG 8,23 5388 420994 /tmp/.x/httpd (deleted) httpd 6543 root mem REG 8,2 89547 484644 /lib/ld-2.2.5.so httpd 6543 root mem REG 8,2 1402035 226126 /lib/i686/libc-2.2.5.so httpd 6543 root 0r CHR 1,3 162462 /dev/null httpd 6543 root 1w REG 8,23 0 420995 /tmp/.x/nohup.out (deleted) httpd 6543 root 2w REG 8,23 0 420995 /tmp/.x/nohup.out (deleted) httpd 6543 root 3u sock 0,0 2377 can't identify protocol httpd 6543 root 4u raw 63164463 00000000:0006->00000000:0000 st=07I also found the attached file that was being executed in /etc/rc.d/rc.local in /dev/rd/c0dO/bd.out. It spawns a process that makes it look like it's /usr/sbin/named.
Thanks for any info on this! -- Seth Milder Department of Physics and Astronomy MS 3f3 George Mason University Fairfax, VA -- I'll give you my opinion of the human race in a nutshell ... their heart's in the right place, but their head is a thoroughly inefficient organ. -- W. Somerset Maugham, "The Summing Up"
Attachment:
bd.out.gz
Description:
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DoS Tool Identification Seth Milder (Feb 25)
- Re: DoS Tool Identification Martin (Feb 25)
- Re: DoS Tool Identification spaceork (Feb 26)
- Re: DoS Tool Identification Martin (Feb 25)