Security Incidents mailing list archives
Linux-box hacked, ls, ps, login modified
From: fd-l-i () DAIDALOS INFORMATIK UNIBW-MUENCHEN DE (Frank Derichsweiler)
Date: Wed, 22 Mar 2000 16:47:27 +0100
Hi list, Anybody seen this? The process for gl0ck is running as root on a red hat box. /bin/bincp/glox.su: gl0ck 3.2 [icmp/tcp/udp/frag+rand ID] by ip, this copy is registred to s3phz usage: Cancer <ip#1,ip#2,...> [options] -F <type> : i=icmp s=syn u=udp f=fragbomb [i=icmp] -I <addr> : Use <addr> as source [random] -p <port> : Destinationport in syn/udp flood -s <size> : Payload size in bytes(always 0 in synflood) [0] -c <count> : Only send <count> packets [endless] -m <count> : Multiple packets(<count>) in each packetburst [1] -d <delay> : Microsec(s) delay between bursts [0] -t <min> : Floodtimeout in min(s) [30] -l <port> : CancerServer, listen for cmd's on <port> -f <hostfile> : Flood using CancerServers in <hostfile> -q: Quiet mode ~ Further investigation shoed shat /bin/ls /bin/ps /bin/login were replaced byx trojaned ones. Luckily I found a source file with code for an exploit. Unfortunately I cannont transfer it from "\xeb \x38 ..." to a readalby form. Any ideas? TIA Frank -- Frank Derichsweiler Please *NO* CC: I read the mailing list !
Current thread:
- Re: Cracked by the Brazilians, (continued)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Robert Graham (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- Re: Cracked by the Brazilians Michael H. Warfield (Mar 30)
- Re: Cracked by the Brazilians Omachonu Ogali (Mar 30)
- Re: Cracked by the Brazilians Blaise St-Laurent (Mar 30)
- Re: Cracked by the Brazilians Ralf Spenneberg (Mar 30)
- Re: Cracked by the Brazilians Seth Milder (Mar 30)
- link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)") Richard Johnson (Mar 30)
- unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
- Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
- 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
- sgi-dgl scanning Michael Stone (Mar 27)
- unusual mail file Donald McLachlan (Mar 28)
- Re: unusual mail file Ryan Hilton (Mar 28)
- Front Page Extensions vventura () SIA PT (Mar 28)
- Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
- Syn attacks ? Klavs Klavsen (Mar 28)
- Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)