Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Linux - Possible trojan or other? (fwd)

From: Hal Flynn <flynn () SECURITYFOCUS COM>
Date: Mon, 18 Dec 2000 11:49:08 -0800
----------------- Original message (ID=8A207993) (40 lines) -------------------
Return-Path: <owner-focus-linux () securityfocus com>
Delivered-To: focus-linux () lists securityfocus com
Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78])
        by lists.securityfocus.com (Postfix) with SMTP id E4F3624C5A5
        for <focus-linux () lists securityfocus com>; Mon, 18 Dec 2000 11:30:45 -0800 (PST)
Received: (qmail 22534 invoked by alias); 18 Dec 2000 19:30:44 -0000
Delivered-To: Focus-Linux () SECURITYFOCUS COM
Received: (qmail 22528 invoked from network); 18 Dec 2000 19:30:44 -0000
Received: from unknown (HELO ns1.savernake.com) (194.202.204.1)
  by mail.securityfocus.com with SMTP; 18 Dec 2000 19:30:44 -0000
Received: from mail-exchange-1.savernake.com (mail-exchange-1.savernake.com [194.202.204.65])
        by ns1.savernake.com (8.9.3/8.8.7) with ESMTP id TAA01160
        for <Focus-Linux () SECURITYFOCUS COM>; Mon, 18 Dec 2000 19:34:46 GMT
Received: by mail-exchange-1.savernake.com with Internet Mail Service (5.5.2650.21)
        id <YZCYPR5G>; Mon, 18 Dec 2000 19:25:35 -0000
Message-ID: <A19B90E923EDD311A2470008C7D21F5024EC69 () mail-exchange-1 savernake com>
From: Mark Armitage <mark.armitage () savernake com>
To: "'Focus-Linux () SECURITYFOCUS COM'" <Focus-Linux () SECURITYFOCUS COM>
Subject: Linux - Possible trojan or other?
Date: Mon, 18 Dec 2000 19:25:32 -0000
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-Type: text/plain;
        charset="iso-8859-1"

I have found a set of replacement files and scripts in
/usr/man/man1/m1x on one of my linux boxes. (redhat 6.0)

a replacement for in.idnetd, ps, cplogd, tcpdmatch, tcpdchk, tcpd, named,
and klogd, and some scripts which respawn tcplogd and make it appead as
[httpd] /n tcplogd in a ps -x listing.

This machine was investigated for sending out large quantities of packets
onto the network (unknown destinations) periodically.

Any help greatly appreciated, if you would like a tarball of the files
please email me directly.

Mark.
Previous By Date Next
Previous By Thread Next

Current thread: