Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Possible break in

From: Alexandros Kyriakides <alex1 () MIT EDU>
Date: Mon, 22 Mar 2004 10:31:16 -0500 (EST)

I am wondering if anyone can give me some help with this incident. The
only related thing I found on-line was this:

http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html



The box I have is running linux mandrake 8.0. What I have found until now
is the following:


1) Two new binary files:

/usr/bin/dbproc
/usr/bin/gnorp



2) Appended at the end of inittab and rc.local:

inittab:
a:2345:once:/usr/bin/dbproc
a:2345:once:/bin/end

rc.local:
#Starting gnorp
/usr/bin/gnorp
#The End
/bin/end


3) lsattr gives:

suS-iadAcj--- /etc/inittab
suS-iadAcj--- /etc/rc.local




Has anyone seen this before? I am also interested in finding out how this
happened, if possible. Any help is greatly appreciated.


The two binary files can be found at:

http://web.mit.edu/alex1/www/binaries/


---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at 
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: