Re: ^Madereet (or tmkit)

[Opus <opus () IRCORE COM>]

I am taking a shot in the dark here, but the /var/named/ADMINROCKS
indicates you got compromised due to a older version of bind, i'd suggest
upgrading to bind8.2.2-p5 @ http://www.isc.org/products/BIND/

Opus



> At this point, I have upgraded my gateway machine and shut all ports
except 22 and 80,
> and continue examining the 'tm2.tgz' package more closely. A first
preliminary examination of
> the package shows that it creates/modifies/exchanges the following files
:
>         /etc/inetd.conf, /usr/sbin/time, /bin/lpr, /bin/ps,
/bin/netstat,
>         /usr/sbin/inetd, /bin/ls, /var/log/secure, /var/log/messages,
>         /sbin/rpc.statd, /dev/hdbp, /dev/hdaq, /dev/^Madereet,
>         /dev/^Madereet/.backup, /dev/^Madereet/other,
/var/named/ADMROCKS.
> I would appreciate any comments, suggestions or feedback.
>
> Best regards,
> Kristinn Torfason
> quirc () quirc com