Security Incidents mailing list archives
Re: Possible break in
From: Thorsten Holz <thorsten.holz () mmweg rwth-aachen de>
Date: Mon, 22 Mar 2004 17:12:11 +0100
On Mon Mar 22 10:31:16 2004 Alexandros Kyriakides wrote:
1) Two new binary files: /usr/bin/dbproc
Just try something like user@uml:/tmp$ strings dbproc It reveals some nice information: "[...] FUCK: Can't find kmalloc()! kmalloc()=0x%08x, gfp=0x%x FUCK: Out of kernel memory! Done, %d bytes, base=0x%08x FUCK: Can't open %s for read/write (%d) FUCK: IDT table read failed (offset 0x%08x) FUCK: Can't find sys_call_table[] FUCK: Can't read syscall %d addr [...]" So this file seems to be a customized Suckit-Rootkit - see Phrack #58 (http://www.phrack.com/show.php?p=58&a=7) for further details... Perhaps you can try something like http://www.soohrt.org/stuff/linux/suckit/ to uninstall the rootkit, but your machine is definitely compromised and should be reinstalled.
/usr/bin/gnorp
Seems to be a wraper for dbproc (/usr/bin/dbproc >/dev/null 2>&1), but I have to investigated this further :)
rc.local: #Starting gnorp /usr/bin/gnorp #The End /bin/end
Does /bin/end exist on your system? HTH, Thorsten
Attachment:
_bin
Description:
Current thread:
- Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in ben (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in Chris Albert (Mar 22)
- Re: Possible break in Thorsten Holz (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 23)
- Re: Possible break in ben (Mar 22)