/etc/ld.so.preload was: strange telnet behavior

[Jens Hektor <hektor () rz rwth-aachen de>]

In-Reply-To: <20020218161308.A26890 () francoudi com>

Hi.

The fact that /etc/ld.so.preload is successfully
opened
reminds me of some machines cracked lately at our
site.

In the preload file there was a lib listed
(libshow) that 
successfully hided itself as well as other
files/processes/...

Have a check with a bootable (recovery) CD on that
system,
what is loaded via the preload.

Bye, Jens Hektor

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com