Security Incidents mailing list archives
Re: hpd, afb, sc, and sn
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Fri, 20 Dec 2002 15:28:48 -0700
On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:
I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked?
Oh ya. Maybe more than once.
According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ... I copied a good version of ps in and found the two afb processes running. Anyone know about this hack, what afb does and/or how they usually get in?
http://www.chkrootkit.org/ Chkrootkit might be able to diagnose your problems. I'd hit http://www.google.com, and http://isc.incidents.org/ and see what pops up. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)