Security Incidents mailing list archives
backdoor
From: Fabio Miranda <fmirand () yahoo com>
Date: Sat, 22 Jun 2002 20:02:19 -0700 (PDT)
hi, My box was compromised, and i cant rm a binary that listens over tcp, i need help support, watch: 1. %nmap foo .... 898/tcp open unknown 2. %nc foo 898 HTTP/1.0 400 Bad Request Date: Sat, 22 Jun 2002 16:36:02 GMT Server: Tomcat/2.1 Content-Type: text/html <h1>Error: 400</h1> No detailed message 3. %netstat ... 30001303a88 stream-ord 3000108acd8 00000000 /tmp/smc898/cmdsock 4. % /usr/local/bin/lsof -U java 436 root 25u unix 105,25 0t0 35169 /devices/pseudo/tl@0:ticots-> /tmp/smc898/cmdsock (0x30001303a88) (Vnode=0x3000108acd8) 5. %find / -inum 35169 -print -exec ls -sal {} \; /var/sadm/pkg/SUNWapdoc total 34 2 drwxr-xr-x 4 root root 512 Mar 24 2001 . 26 dr-xr-xr-x 680 root sys 13312 Jun 22 20:58 .. 2 drwxr-xr-x 2 root root 512 Mar 24 2001 install 2 -rw-r--r-- 1 root root 932 Mar 24 2001 pkginfo 2 drwxr-xr-x 2 root root 512 Mar 24 2001 save /devices/pseudo/tl@0:ticots 0 crw-rw-rw- 1 root sys 105, 0 Mar 24 2001 /devices/pseudo/tl@0: ticots Ok, What's happening?, I am very confused, the inode number fsol show points to a direcroty and a character device. How can i stop that listening binary? __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- backdoor Fabio Miranda (Jun 22)
- Re: backdoor steveg (Jun 23)
- Re: backdoor Ken Fischer (Jun 25)
- Re: backdoor Hugo van der Kooij (Jun 23)
- Re: backdoor Jonas M Luster (Jun 23)
- Re: backdoor Kyle R. Hofmann (Jun 24)
- Message not available
- Re: backdoor Jonas M Luster (Jun 24)
- Re: backdoor Hugo van der Kooij (Jun 26)
- Re: backdoor Greg A. Woods (Jun 26)
- Re: backdoor Jonas M Luster (Jun 23)
- Message not available
- Re: [incidents] Re: backdoor Jonas M Luster (Jun 25)
- RE: [incidents] Re: backdoor Don Weber (Jun 26)
- Re: backdoor steveg (Jun 23)