Security Incidents mailing list archives
Re: ^Madereet (or tmkit)
From: Opus <opus () IRCORE COM>
Date: Sat, 4 Nov 2000 12:33:36 -0600
I am taking a shot in the dark here, but the /var/named/ADMINROCKS indicates you got compromised due to a older version of bind, i'd suggest upgrading to bind8.2.2-p5 @ http://www.isc.org/products/BIND/ Opus
At this point, I have upgraded my gateway machine and shut all ports
except 22 and 80,
and continue examining the 'tm2.tgz' package more closely. A first
preliminary examination of
the package shows that it creates/modifies/exchanges the following files
:
/etc/inetd.conf, /usr/sbin/time, /bin/lpr, /bin/ps,
/bin/netstat,
/usr/sbin/inetd, /bin/ls, /var/log/secure, /var/log/messages, /sbin/rpc.statd, /dev/hdbp, /dev/hdaq, /dev/^Madereet, /dev/^Madereet/.backup, /dev/^Madereet/other,
/var/named/ADMROCKS.
I would appreciate any comments, suggestions or feedback. Best regards, Kristinn Torfason quirc () quirc com
Current thread:
- ^Madereet (or tmkit) Kristinn Torfason (Nov 05)
- Re: ^Madereet (or tmkit) Opus (Nov 06)