RE: New maniac rootkit

[Chris Huseman <ChrisH () A-t-g com>]

> -rwxr-xr-x   1 root     root        44313 Apr  2 15:24 bnc
>       - Bot Net Client?  bnc.conf mentions port 6667
> -rw-r--r--   1 root     ftp            52 May 11 08:19 bnc.conf
>       - bnc's config file


> I also know it's making IRC connections, plus has at least one
> rootshell running.  I can't confirm this without modifying bits
> of the box, to replace ps with a known good copy, and I can't do
> that until one of my colleagues looks at it to get first hand
> experience.


BNC is an IRC proxy.  See: http://www.gotbnc.com

You may be able to get more info on your intruder by seeing who it is that
is using that bnc.. find a clean copy of netstat and look at the port
bnc.conf says its listening on.

-chris