> ...root@NoraD > > has anyone seen this before? or has any info on it? ie, what > binaries have > been trojaned, what files have been replaced, etc.?? Third out of four at google on "root@norad" (the other three are unrelated)... http://www.sans.org/y2k/the_compromise.htm Except that's RH7, not Solaris. Look for similarities anyway, but at this point all you can conclude is that your visitor may have installed a similar sshd - you can't know if it came to you in the same way, or if the damages were limited to the same ones discussed above. Even with this list and analysis, you'll need to do the legwork of examining your own system methodically. Hoping that helps... -- Dave Salovesh RAM Associates, Inc. (800) 543-3635
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 15:55:34 PDT