Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Linux-box hacked, ls, ps, login modified

From: fd-l-i () DAIDALOS INFORMATIK UNIBW-MUENCHEN DE (Frank Derichsweiler)
Date: Wed, 22 Mar 2000 16:47:27 +0100

Hi list,

Anybody seen this?
The process for gl0ck is running as root on a red hat box.

/bin/bincp/glox.su:

gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz

usage: Cancer <ip#1,ip#2,...> [options]

-F <type>       : i=icmp s=syn u=udp f=fragbomb [i=icmp]
-I <addr>       : Use <addr> as source [random]
-p <port>       : Destinationport in syn/udp flood
-s <size>       : Payload size in bytes(always 0 in synflood) [0]
-c <count>      : Only send <count> packets [endless]
-m <count>      : Multiple packets(<count>) in each packetburst [1]
-d <delay>      : Microsec(s) delay between bursts [0]
-t <min>        : Floodtimeout in min(s) [30]
-l <port>       : CancerServer, listen for cmd's on <port>
-f <hostfile>   : Flood using CancerServers in <hostfile>
-q: Quiet mode
~

Further investigation shoed shat /bin/ls /bin/ps /bin/login were
replaced byx trojaned ones.

Luckily I found a source file with code for an exploit. Unfortunately
I cannont transfer it from "\xeb \x38 ..." to a readalby form.

Any ideas?

TIA
Frank


--
Frank Derichsweiler
Please *NO* CC: I read the mailing list !
Previous By Date Next
Previous By Thread Next

Current thread: