.baa0xdd1r??

From: SecLists (listsat_private)
Date: Mon Jul 30 2001 - 08:48:05 PDT

  • Next message: Bill Burge: "Re: .baa0xdd1r??"

    We have a customer's system that we believe was hacked...
    
    in /var/tmp there is a binary file:
    .baa0xdd1r
    
    it appears to have replaced /usr/sbin/in.telnetd
    
    /bin/login also appears suspect...
    
    this is:
    bash-2.01# uname -a
    SunOS xxxxxxx 5.6 Generic_105181-06 sun4u sparc SUNW,Ultra-1
    
    
    does this sound like a familiar rootkit? or is something totally new?
    
    we are still gathering info but I wanted to post this soon in the chance
    that someone has dealt with this before.. don't want to have to reinvent
    the wheel...
    
    thanks,
    
    shawn
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 11:57:33 PDT