Security Incidents mailing list archives
RE: New maniac rootkit
From: Chris Huseman <ChrisH () A-t-g com>
Date: Thu, 21 Jun 2001 08:28:57 -0500
-rwxr-xr-x 1 root root 44313 Apr 2 15:24 bnc - Bot Net Client? bnc.conf mentions port 6667 -rw-r--r-- 1 root ftp 52 May 11 08:19 bnc.conf - bnc's config file
I also know it's making IRC connections, plus has at least one rootshell running. I can't confirm this without modifying bits of the box, to replace ps with a known good copy, and I can't do that until one of my colleagues looks at it to get first hand experience.
BNC is an IRC proxy. See: http://www.gotbnc.com You may be able to get more info on your intruder by seeing who it is that is using that bnc.. find a clean copy of netstat and look at the port bnc.conf says its listening on. -chris
Current thread:
- New maniac rootkit Andrew Heath (Jun 20)
- Re: New maniac rootkit Denis Ducamp (Jun 21)
- Re: New maniac rootkit Chris Ess (Jun 21)
- Re: New maniac rootkit Daniel Martin (Jun 22)
- <Possible follow-ups>
- RE: New maniac rootkit Chris Huseman (Jun 21)
- Re: New maniac rootkit Aropalo Tommi (Jun 22)