backdoor

[Fabio Miranda <fmirand () yahoo com>]

hi, My box was compromised, and i cant rm a binary
that listens over tcp, i need help support, watch:
1. %nmap foo
....
898/tcp    open        unknown

2. %nc foo 898
HTTP/1.0 400 Bad Request
Date: Sat, 22 Jun 2002 16:36:02 GMT
Server: Tomcat/2.1
Content-Type: text/html
<h1>Error: 400</h1>
No detailed message

3. %netstat
...
30001303a88 stream-ord 3000108acd8 00000000
/tmp/smc898/cmdsock

4. % /usr/local/bin/lsof -U
java    436 root   25u  unix 105,25      0t0 35169
/devices/pseudo/tl@0:ticots->
/tmp/smc898/cmdsock (0x30001303a88)
(Vnode=0x3000108acd8)

5. %find / -inum 35169 -print  -exec ls -sal {} \;
/var/sadm/pkg/SUNWapdoc
total 34
   2 drwxr-xr-x   4 root     root         512 Mar 24 
2001 .
  26 dr-xr-xr-x 680 root     sys        13312 Jun 22
20:58 ..
   2 drwxr-xr-x   2 root     root         512 Mar 24 
2001 install
   2 -rw-r--r--   1 root     root         932 Mar 24 
2001 pkginfo
   2 drwxr-xr-x   2 root     root         512 Mar 24 
2001 save
/devices/pseudo/tl@0:ticots
   0 crw-rw-rw-   1 root     sys      105,  0 Mar 24 
2001 /devices/pseudo/tl@0:
ticots


Ok, What's happening?, I am very confused, the inode
number fsol show points to a direcroty and a character
device. How can i stop
 that listening binary?


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com