Security Incidents mailing list archives
Questions
From: "Ihsahn Diablo" <traktopika () hotmail com>
Date: Wed, 21 Nov 2001 12:54:02 +0000
Heya,I have a question about something i don't know why is on my server. So the situation is that:
- i found a directory /dev/., - his contains is: drwxrwxr-x 5 root root 4096 Nov 14 15:37 . drwx------ 17 root root 4096 Nov 21 10:52 .. drwxr-xr-x 2 root root 4096 Oct 3 04:21 adore -rwxr-xr-x 1 root root 5812 Oct 3 04:21 bechap -rwxr-xr-x 1 root root 734 Oct 3 04:21 cl -rwxr-xr-x 1 root root 105 Oct 3 04:21 clin -rwxr-xr-x 1 root root 6928 Oct 3 04:21 dp -rwxrwxr-x 1 root root 16285 Oct 3 03:44 epcs -rwxr-xr-x 1 root root 1474 Oct 3 04:21 inetd drwxr-xr-x 2 root root 4096 Oct 3 04:21 init drwxr-xr-x 2 root root 4096 Nov 6 14:22 pids -rwxr-xr-x 1 root root 5080 Oct 3 04:21 portscan -rw-r--r-- 1 root root 202894 Oct 3 04:16 psibenece.tar.gz -rw-r--r-- 1 root root 6413 Nov 6 14:22 ribut.log -rw-r--r-- 1 root root 5086340 Nov 14 14:05 snifflog -rw-rw-rw- 1 root root 137790 Nov 14 13:58 ssh.log -rw-r--r-- 1 root root 46 Oct 3 04:21 var - the analize of this files results: 1. is a rootkit2. the rootkit has a cleaner for logs, a portscaner, some logs, and a psybnc. 3. in /usr/sbin/ i found it "in.ttyd" witch is a sshd2 and he listen on port 60598,and config.cfg witch is a configuration file for the sniffer "1s" ( one s ) found it in /usr/sbin/.
4. epcs is a local exploit , and dp i think is a remote one. ./dp Usage: ./dp localport remoteport remotehostSo, somebody know or saw this kind of rootkit and can tell me more about it ? And i'm interested what is DP, is a exploit remote for what ?
Because i think is the way witch the attacker entered in my system. Sorry for my poor english, Best regards, Goba _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Questions Ihsahn Diablo (Nov 21)
- Re: Questions Aaron (Nov 21)
- Re: Questions Mike Lewinski (Nov 21)