Many people have already identified bits, so I'll just comment on this piece: Andrew Heath <ah228at_private> writes: > in /dev/ptyxx/.proc (runlevels?) > 2 eggdrop > 3 maniac > 2 slice > 2 pine.out > 2 PHoss > 2 targa3 > 3 bnc > 2 httpd > 3 grabbb > 3 pt07 > 3 mailrc > 2 sh This file format matches the file format of many common trojaned ps and ls programs - it's a list of processes and/or files to hide (I think that the initial number identifies whether this is the name of a process to hide or a file, but I can't remember). You might try the following two commands on the trojaned box: ls /bin/sh echo 'ps $$' | sh | grep sh I'm willing to bet that one or the other of those commands will show nothing, and indication that sh is being hidden from either ls or ps. You could also, I suppose, do a mv /dev/ptyxx /dev/ptyxx.old and see if suddenly things look different when you do a ps or ls on the infected box. (I say move the directory because there may be other, possibly hidden, rootkit config. files therein)
This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 10:45:39 PDT