Security Incidents mailing list archives

Re: rooted with lots of files in /dev/sdc0/.nfs01

From: felix () BROADBAND HU (Marianovich Felix)
Date: Fri, 25 Feb 2000 11:23:08 +0100


Hello Jeff!

Has anyone seen this?

Yes, once I have same thing. I think you have take a look for the other
binaries too. E.g: /bin/login. /bin/ls, ps, netstat, etc. And try move or
delete these files. Maybe it won't work. Than look these files attributes
with lsattr command. With this command you can filter the compromised
files.

Also, ps showed the programs scan and z0ne. But doing a find for those
files turned up no results, even after replacing find. However, after
rebooting, find found the files.

It is interesting... In my system was changed some of the kernel libs too.
Maybe you can change them too.

Good luck for it.

        Felix Marianovich.

Current thread:

rooted with lots of files in /dev/sdc0/.nfs01 Jeff Macdonald (Feb 23)
- Slow scan on port 109 (pop2/kpop) Keith Owens (Feb 24)
- just how much sunrpc scanning is normal? Jon Burdge (Feb 24)
  - Re: just how much sunrpc scanning is normal? Missouri FreeNet Administration (Feb 25)
  - Re: just how much sunrpc scanning is normal? Jon Lewis (Feb 25)
  - Re: just how much sunrpc scanning is normal? Nathan Nichols (Feb 25)
  - Re: just how much sunrpc scanning is normal? Chris Brenton (Feb 26)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Ken Lyon (Feb 24)
- Re: rooted with lots of files in /dev/sdc0/.nfs01 Marianovich Felix (Feb 25)