Security Incidents mailing list archives

Re: hpd, afb, sc, and sn

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 20 Dec 2002 15:28:48 -0700

On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:

I found suspicious looking files on a Redhat 7.1 Linux server earlier
today.  Can anyone confirm or deny that the machine has been hacked?


Oh ya.  Maybe more than once.

According to an rpm -V, all kinds of binaries have been changed: ps,
top, netstat, ifconfig, ...

I copied a good version of ps in and found the two afb processes
running.

Anyone know about this hack, what afb does and/or how they usually get
in?


http://www.chkrootkit.org/

Chkrootkit might be able to diagnose your problems.  I'd hit
http://www.google.com, and http://isc.incidents.org/ and see what pops
up.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)