Sirs, the attached ssh trojan was found on one of the systems connected to our network. MD5: 474b2cc161dd428de6226914ba48281f Details: Machine:Linux Mandrake release 8.0 (Traktopel) for i586 Primary use: Mail Server with remote admin via SSH. Original SSH server was disabled: OpenSSH_2.5.2p2 Trojan Listen on port 65298 TCP Installed as /usr/sbin/mingetty Banner: SSH-1.5-Dragos's Empire Inc. Chkrootkit -r /usr/sbin detected nothing Chkrootkit -r / detected nothing Chkrootkit -r /usr/sbin/ mingetty detected nothing Lsof Output: [root@mail temp]# lsof -p 23256 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mingetty 23256 root cwd DIR 3,1 408 2 / mingetty 23256 root rtd DIR 3,1 408 2 / mingetty 23256 root txt REG 3,6 654387 6455 /usr/sbin/mingetty mingetty 23256 root mem REG 3,1 420778 67 /lib/ld-2.2.2.so mingetty 23256 root mem REG 3,1 78208 80 /lib/libnsl-2.2.2.so mingetty 23256 root mem REG 3,1 21812 74 /lib/libcrypt-2.2.2.so mingetty 23256 root mem REG 3,1 8284 102 /lib/libutil-2.2.2.so mingetty 23256 root mem REG 3,1 1216268 72 /lib/libc-2.2.2.so mingetty 23256 root 0u CHR 1,3 62 /dev/null mingetty 23256 root 1u CHR 1,3 62 /dev/null mingetty 23256 root 2u CHR 1,3 62 /dev/null mingetty 23256 root 3u CHR 5,1 4838 /dev/console mingetty 23256 root 4u CHR 5,1 4838 /dev/console mingetty 23256 root 5u CHR 5,1 4838 /dev/console mingetty 23256 root 6u IPv4 122992 TCP *:65298 (LISTEN) mingetty 23256 root 21w FIFO 0,0 16 pipe [root@mail temp]# Any help will be appreciated to grab further info on this. PD. The executablwe is about 650 Kb so I cannot attach it to this message. Even a .tar is about 200k, so anyone who wants to see it, email me and i wil lsend it.. Thanks, Erick A. Perez H. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 08:22:56 PST