Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Questions

From: "Ihsahn Diablo" <traktopika () hotmail com>
Date: Wed, 21 Nov 2001 12:54:02 +0000
Heya,
I have a question about something i don't know why is on my server. So the situation is that: 
 - i found a directory /dev/.,
 - his contains is:

drwxrwxr-x    5 root     root         4096 Nov 14 15:37 .
drwx------   17 root     root         4096 Nov 21 10:52 ..
drwxr-xr-x    2 root     root         4096 Oct  3 04:21 adore
-rwxr-xr-x    1 root     root         5812 Oct  3 04:21 bechap
-rwxr-xr-x    1 root     root          734 Oct  3 04:21 cl
-rwxr-xr-x    1 root     root          105 Oct  3 04:21 clin
-rwxr-xr-x    1 root     root         6928 Oct  3 04:21 dp
-rwxrwxr-x    1 root     root         16285 Oct  3 03:44 epcs
-rwxr-xr-x    1 root     root         1474 Oct  3 04:21 inetd
drwxr-xr-x    2 root     root         4096 Oct  3 04:21 init
drwxr-xr-x    2 root     root         4096 Nov  6 14:22 pids
-rwxr-xr-x    1 root     root         5080 Oct  3 04:21 portscan
-rw-r--r--    1 root     root       202894 Oct  3 04:16 psibenece.tar.gz
-rw-r--r--    1 root     root         6413 Nov  6 14:22 ribut.log
-rw-r--r--    1 root     root      5086340 Nov 14 14:05 snifflog
-rw-rw-rw-    1 root     root       137790 Nov 14 13:58 ssh.log
-rw-r--r--    1 root     root           46 Oct  3 04:21 var

 - the analize of this files results:
  1. is a rootkit
2. the rootkit has a cleaner for logs, a portscaner, some logs, and a psybnc. 3. in /usr/sbin/ i found it "in.ttyd" witch is a sshd2 and he listen on port 60598,and config.cfg witch is a configuration file for the sniffer "1s" ( one s ) found it in /usr/sbin/. 
  4. epcs is a local exploit , and dp i think is a remote one.

./dp
Usage: ./dp localport remoteport remotehost
So, somebody know or saw this kind of rootkit and can tell me more about it ? And i'm interested what is DP, is a exploit remote for what ? 
Because i think is the way witch the attacker entered in my system.

Sorry for my poor english,

Best regards,


Goba

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: