Security Incidents mailing list archives
Re: WZAP Exploit
From: Pheh <pheh () THE WHOLE NET>
Date: Tue, 16 Jan 2001 22:08:42 -0500
If a wtmp/utmp editor (zapper) is sitting on your system - a) someone is trying to hack root on your box who already has an account or b) someone has root on your box and has been attempting to cover their tracks. Is the program root owned? If so, you can be 100% sure your box is rooted and you may as well start a rebuild. Regardless, you should pull your ethernet connection to the box and scour it. Now obviously I don't know your exact scenerio, but seeing your @home email I'm going to go out on a limb. Is this a Red Hat box you have sitting off a cable modem? Did you bother to run any patches on it? Understand that if the answers are yes for the former and no for the latter that you are indirectly contributing to DDoS attacks and providing jump points for internet hooligans. Good luck to you. Wilbur On Tue, 16 Jan 2001, Rick King wrote:
I noticed a wzap file in the /var/log directory on my RH 6.1 box today and was wondering if someone can give me more information on what kind of exploit this is. I know it's a program that allows someone to cover their tracks, but that's about it. What kind of problem can this cause in the future if it's sitting on my linux box now and what can I do to remove it? Thanks, Rick.
Current thread:
- WZAP Exploit Rick King (Jan 16)
- Re: WZAP Exploit Pheh (Jan 16)