RE: New maniac rootkit

From: Chris Huseman (ChrisH@A-t-g.com)
Date: Thu Jun 21 2001 - 06:28:57 PDT

Next message: Chris Ess: "Re: New maniac rootkit"

Previous message: Denis Ducamp: "Re: New maniac rootkit"
Maybe in reply to: Andrew Heath: "New maniac rootkit"
Next in thread: Aropalo Tommi: "Re: New maniac rootkit"
Next in thread: Chris Ess: "Re: New maniac rootkit"
Reply: Aropalo Tommi: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -rwxr-xr-x   1 root     root        44313 Apr  2 15:24 bnc
> 	- Bot Net Client?  bnc.conf mentions port 6667
> -rw-r--r--   1 root     ftp            52 May 11 08:19 bnc.conf
> 	- bnc's config file


> I also know it's making IRC connections, plus has at least one
> rootshell running.  I can't confirm this without modifying bits
> of the box, to replace ps with a known good copy, and I can't do
> that until one of my colleagues looks at it to get first hand
> experience.


BNC is an IRC proxy.  See: http://www.gotbnc.com

You may be able to get more info on your intruder by seeing who it is that
is using that bnc.. find a clean copy of netstat and look at the port
bnc.conf says its listening on.

-chris

Next message: Chris Ess: "Re: New maniac rootkit"
Previous message: Denis Ducamp: "Re: New maniac rootkit"
Maybe in reply to: Andrew Heath: "New maniac rootkit"
Next in thread: Aropalo Tommi: "Re: New maniac rootkit"
Next in thread: Chris Ess: "Re: New maniac rootkit"
Reply: Aropalo Tommi: "Re: New maniac rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 10:40:45 PDT