Re: WZAP Exploit

[Pheh <pheh () THE WHOLE NET>]

If a wtmp/utmp editor (zapper) is sitting on your system - a) someone is
trying to hack root on your box who already has an account or b) someone
has root on your box and has been attempting to cover their tracks.  Is
the program root owned?  If so, you can be 100% sure your box is rooted
and you may as well start a rebuild.  Regardless, you should pull your
ethernet connection to the box and scour it.

Now obviously I don't know your exact scenerio, but seeing your @home
email I'm going to go out on a limb.  Is this a Red Hat box you have
sitting off a cable modem?  Did you bother to run any patches on
it?  Understand that if the answers are yes for the former and no for the
latter that you are indirectly contributing to DDoS attacks and providing
jump points for internet hooligans.

Good luck to you.

Wilbur


On Tue, 16 Jan 2001, Rick King wrote:

> I noticed a wzap file in the /var/log directory on my RH 6.1 box today and
> was wondering if someone can give me more information on what kind of
> exploit this is.  I know it's a program that allows someone to cover their
> tracks, but that's about it.  What kind of problem can this cause in the
> future if it's sitting on my linux box now and what can I do to remove it?
>
>
> Thanks,
> Rick.