Security Incidents mailing list archives
Re: Possible break in
From: ben <ben () electricfork com>
Date: Mon, 22 Mar 2004 10:57:09 -0500
Just ran strings against the two files. dbproc looks like a version of the suckit rootkit, gnorp didn't look familar to me. I'd check the timestamps on the two files and do a find on your system for files that have been written to your filesystem since that date. then look closer at any said files, and logs generated durring that time.
-Ben On Mar 22, 2004, at 10:31 AM, Alexandros Kyriakides wrote:
I am wondering if anyone can give me some help with this incident. The only related thing I found on-line was this: http://www.taclug.org/pipermail/taclug-general/2003-July/007821.htmlThe box I have is running linux mandrake 8.0. What I have found until nowis the following: 1) Two new binary files: /usr/bin/dbproc /usr/bin/gnorp 2) Appended at the end of inittab and rc.local: inittab: a:2345:once:/usr/bin/dbproc a:2345:once:/bin/end rc.local: #Starting gnorp /usr/bin/gnorp #The End /bin/end 3) lsattr gives: suS-iadAcj--- /etc/inittab suS-iadAcj--- /etc/rc.localHas anyone seen this before? I am also interested in finding out how thishappened, if possible. Any help is greatly appreciated. The two binary files can be found at: http://web.mit.edu/alex1/www/binaries/----------------------------------------------------------------------- ---- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,wireless securityProtect your network against hackers, viruses, spam and other risks with AstaroSecurity Linux, the comprehensive security solution that combines sixapplications in one software solution for ease of use and lower total cost ofownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301----------------------------------------------------------------------- -----
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:
- Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in ben (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in Chris Albert (Mar 22)
- Re: Possible break in Thorsten Holz (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 23)
- Re: Possible break in ben (Mar 22)