Security Incidents mailing list archives
Re: Possible break in
From: Chris Albert <albert () dms umontreal ca>
Date: Mon, 22 Mar 2004 11:07:32 -0500
Alexandros Kyriakides wrote:
gnorp just runs dbproc, which looks like it is part of a rootkit for hiding processes. Running strings on that will show the location of other files (tabbed out). Some of the text is in Roumanian:I am wondering if anyone can give me some help with this incident. The only related thing I found on-line was this: http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html The box I have is running linux mandrake 8.0. What I have found until now is the following: 1) Two new binary files: /usr/bin/dbproc /usr/bin/gnorp
<snip strings output> Can't open a tty, all in use ? Can't fork subshell, there is no way...HOME=/usr/include/rpms
HISTFILE=/dev/null SHELL=/bin/bash TERM=linux pqrstuvwxyzabcde 0123456789abcdef /dev/ptmx /dev/pty /dev/tty /dev/null /bin/sh Can't execve shell! Start... FUCK: (%d) Pid=%d /usr/include/rpms/.rc Folosire: %s <uivfp> [args] u - Uninstall i - Pid invizibil v - Pid vizibil f [0/1] - Fisiere ascunse p [0/1] - Piduri ascunse Nu am reusit sa il dezinstalez (%d) Nu am reusit sa ascund pidul %d (%d) Nu am reusit sa arat pidul %d (%d) Failed to change %s hiding (%d)! Versiune: %s Dezinstalat Pidul %d e ascuns Pidul %d e vizibil file %s hiding is now %s! __kmalloc /dev/kmem RK_Init: idt=0x%08x, sct[]=0x%08x, FUCK: Can't find kmalloc()! kmalloc()=0x%08x, gfp=0x%x FUCK: Out of kernel memory! Done, %d bytes, base=0x%08x FUCK: Can't open %s for read/write (%d) FUCK: IDT table read failed (offset 0x%08x) FUCK: Can't find sys_call_table[] FUCK: Can't read syscall %d addr Z_Init: Allocating kernel-code memory... core/sbin/initrpms
Fuck mai e o gasca pe aici %d 0123456789abcdefghijklmnopqrstuvwxyz 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ <NULL> /dev/null 1.3b rpms/usr/include/rpms/zero.so
/proc/ /proc/net/ socket:[ /sbin/init /sbin/initrpms login telnet rlogin rexec passwd adduser mysql ssword: </snip> Chris --------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership.Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
Current thread:
- Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in ben (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 22)
- Re: Possible break in Chris Albert (Mar 22)
- Re: Possible break in Thorsten Holz (Mar 22)
- Re: Possible break in Alexandros Kyriakides (Mar 23)
- Re: Possible break in ben (Mar 22)