Security Basics mailing list archives

Re: ptrace24 - How It apeared in my box?

From: "Muhammad Naseer Bhatti" <mail-lists () digitallinx com>
Date: Thu, 19 Jun 2003 01:26:25 +0500

Probably have run the ptrace exploit, got root and installed rootkit. You
*must* have given shell access to your users and one of them did it :-)
Don't rely on just removing the files but get a fresh install of the OS as
this would be the best resort for you. Would it be possible for you to zip
the files from the malicious directory and send it over to me for analysis?


-Naseer


----- Original Message ----- 
From: "Jairo Tcatchenco" <jairo () adaesp sp gov br>
To: <security-basics () securityfocus com>
Sent: Wednesday, June 18, 2003 10:08 PM
Subject: ptrace24 - How It apeared in my box?

        Hello all!

    Using chkrootkit tool, I found a root kit inside my box. A door was
opened and I haven't found yet how they putted it there (there is a
folder in tmp, called ..\ \ \ with a lot of malicious files). I left
just the basic doors opened (ntp, domain, ssh, http, https).  Could
someone explain how they putted it there?

        Thanks.

Jairo Tcatchenco


--------------------------------------------------------------------------

Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
--------------------------------------------------------------------------

--



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

Current thread:

ptrace24 - How It apeared in my box? Jairo Tcatchenco (Jun 18)
- Re: ptrace24 - How It apeared in my box? Jeremy Gaddis (Jun 18)
- Re: ptrace24 - How It apeared in my box? Muhammad Naseer Bhatti (Jun 19)
- Re: ptrace24 - How It apeared in my box? Fanis Drosos (Jun 19)
- <Possible follow-ups>
- RE: ptrace24 - How It apeared in my box? Wiest, Damian (Jun 18)