Security Incidents mailing list archives
xsf/xchk
From: Vladimir Ivaschenko <hazard () francoudi com>
Date: Tue, 22 Jan 2002 18:20:19 +0200
Hi, Today a RedHat 7.1 Linux machine of my friend was compromised. I have just started investigating, so I don't have any information of how it was done. After attack login via console stopped working. I have found the following files in /usr/bin: xchk and xsf. They are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon sitting on port 14859. I don't know what is the purpose of xchk. killall and ps were also replaced by programs which hide xsf and xchk. Does anyone saw something similar before and can point me to some information? I tried searching for xsf / xchk in Google and didn't have any results. -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- xsf/xchk Vladimir Ivaschenko (Jan 22)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- Re: RPC EXPLOIT statdx Brian (Jan 23)
- RPC EXPLOIT statdx John Stauffacher (Jan 23)
- optic rootkit (was Re: xsf/xchk) Vladimir Ivaschenko (Jan 22)