Re: need further help with break in

From: Seth Arnold (sarnoldat_private)
Date: Thu Aug 01 2002 - 11:02:47 PDT

Next message: De Velopment: "Re: need further help with break in"

Previous message: Ingram: "RE: need further help with break in"
In reply to: Ingram: "RE: need further help with break in"
Next in thread: Stephen Samuel: "Re: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Aug 01, 2002 at 04:42:38PM +0200, Ingram wrote:
> I think 'slogin' is the most interessting, or? And what sense can it
> make to modify 'newaliases'?

On my system, newaliases, mailq, etc, are symlinks to the sendmail
binary. (I had expected them to be hardlinks, but maybe I just misrecall
how sendmail handles its various programs.)

Modify one, the rest change too.

> I expected to find trojaned ps, netstat, etc. but nothing. Hmm maybe the
> attacker did _not_ use a rootkit (strange?) or he has used some exotic
> one.

No real need; the modified programs are all programs you might expect to
see running anyway...

-- 
http://www.wirex.com/

application/pgp-signature attachment: stored

Next message: De Velopment: "Re: need further help with break in"
Previous message: Ingram: "RE: need further help with break in"
In reply to: Ingram: "RE: need further help with break in"
Next in thread: Stephen Samuel: "Re: need further help with break in"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 18:31:22 PDT