Security Incidents mailing list archives
Re: Possible break in
From: Alexandros Kyriakides <alex1 () MIT EDU>
Date: Mon, 22 Mar 2004 12:22:00 -0500 (EST)
I had ran strings on it too, and tried to find some of the strings on Google, but no luck. I actually searched for some of the following: Folosire: %s <uivfp> [args] u - Uninstall i - Pid invizibil v - Pid vizibil f [0/1] - Fisiere ascunse p [0/1] - Piduri ascunse Nu am reusit sa il dezinstalez (%d) Nu am reusit sa ascund pidul %d (%d) Nu am reusit sa arat pidul %d (%d) Failed to change %s hiding (%d)! Versiune: %s But I didn't find anything useful. I guess I should have searched for some of the other strings as well. I'm reading up on the suckit rootkit now. I added a new hard disk on the compromised host, and installed RH9 on it so that I can investigate the files on the old compromised disk. Hopefully the logs will shed some light on how the intruder got in. Thank you very much for your help. alex. On Mon, 22 Mar 2004, ben wrote:
Just ran strings against the two files. dbproc looks like a version of the suckit rootkit, gnorp didn't look familar to me. I'd check the timestamps on the two files and do a find on your system for files that have been written to your filesystem since that date. then look closer at any said files, and logs generated durring that time. -Ben On Mar 22, 2004, at 10:31 AM, Alexandros Kyriakides wrote:I am wondering if anyone can give me some help with this incident. The only related thing I found on-line was this: http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html The box I have is running linux mandrake 8.0. What I have found until now is the following: 1) Two new binary files: /usr/bin/dbproc /usr/bin/gnorp 2) Appended at the end of inittab and rc.local: inittab: a:2345:once:/usr/bin/dbproc a:2345:once:/bin/end rc.local: #Starting gnorp /usr/bin/gnorp #The End /bin/end 3) lsattr gives: suS-iadAcj--- /etc/inittab suS-iadAcj--- /etc/rc.local Has anyone seen this before? I am also interested in finding out how this happened, if possible. Any help is greatly appreciated. The two binary files can be found at: http://web.mit.edu/alex1/www/binaries/ ----------------------------------------------------------------------- ---- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------- -----
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 ----------------------------------------------------------------------------
Current thread:
- Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in ben (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in Chris Albert (Mar 22)
- Re: Possible break in Thorsten Holz (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 23)
- Re: Possible break in ben (Mar 22)