DoS Tool Identification

[Seth Milder <mrseth () physics gmu edu>]

Does anyone know what this might be? Here is the ps and lsof identification:


root      6543 26.0  0.0  1336  276 ?        SN   Feb24 351:37 httpd
10000 149.xxx.xxx.xxx 113


[root () xxx xxx xxx xxx httpd]# lsof -p 6543
COMMAND  PID USER   FD   TYPE DEVICE    SIZE     NODE NAME
httpd   6543 root  cwd    DIR   8,23       0   420993 /tmp/.x (deleted)
httpd   6543 root  rtd    DIR    8,2    4096        2 /
httpd   6543 root  txt    REG   8,23    5388   420994 /tmp/.x/httpd
(deleted)
httpd   6543 root  mem    REG    8,2   89547   484644 /lib/ld-2.2.5.so
httpd   6543 root  mem    REG    8,2 1402035   226126
/lib/i686/libc-2.2.5.so
httpd   6543 root    0r   CHR    1,3           162462 /dev/null
httpd   6543 root    1w   REG   8,23       0   420995 /tmp/.x/nohup.out
(deleted)
httpd   6543 root    2w   REG   8,23       0   420995 /tmp/.x/nohup.out
(deleted)
httpd   6543 root    3u  sock    0,0             2377 can't identify
protocol
httpd   6543 root    4u   raw                63164463
00000000:0006->00000000:0000 st=07


I also found the attached file that was being executed in 
/etc/rc.d/rc.local in /dev/rd/c0dO/bd.out. It spawns a process that 
makes it look like it's /usr/sbin/named.

Thanks for any info on this!

--
Seth Milder
Department of Physics and Astronomy
MS 3f3
George Mason University
Fairfax, VA
--
I'll give you my opinion of the human race in a nutshell ... their
heart's in the right place, but their head is a thoroughly inefficient
organ. -- W. Somerset Maugham, "The Summing Up"

Attachment: bd.out.gz
Description:

---------------------------------------------------------------------------
----------------------------------------------------------------------------