Security Incidents mailing list archives

Re: strange telnet behavior

From: "Raistlin" <raistlin () s0ftpj org>
Date: Thu, 21 Feb 2002 15:58:26 +0100

Hi, see http://www.securityfocus.com/archive/75/249597


I'd like to add that we had a similar incident and there was also an eggdrop
directory (which does not appear in the original rootkit) and the eggdrop
process was masked as well.

We stumbled into it by chance because an user ran an eggdrop and did not see
his process anymore ^_^

Raistlin

S0ftPj - Digital Security for Y2K

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/E/IT/TW d++(-) s++:-- a--  C++++ UL++++ US+ P(---) L+++
E---- W+++ N++ o? K w--- !O M-- V-- PS++ PE- Y++ PGP++
t+++ !5 X+@ R+++ tv-- b+++ DI++++ D++ G+ e++(*) h! r+>++ y+
------END GEEK CODE BLOCK------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: strange telnet behavior, (continued)
- - - Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior tfm (Feb 20)
  - Solaris hack Jamie Lawrence (Feb 22)
    - RE: Solaris hack Glenn Pitcher (Feb 24)
    - strange udp packets Jason Robertson (Feb 24)
    - Re: Solaris hack Matt K. (Feb 24)
    - Re: Solaris hack Christopher X. Candreva (Feb 25)
    - Re: Solaris hack Steve Huston (Feb 28)
    - Re: Solaris hack Valdis . Kletnieks (Feb 24)
    - Re: Solaris hack Eric Brandwine (Feb 25)
  - Re: strange telnet behavior Raistlin (Feb 23)
- RE: strange telnet behavior Snow, Corey (Feb 24)