Hi, A few days ago I checked a clients machine for problems, sinds two userid's where added. After some seaching, a run of nmap I found TCP port 54 to be open and with lsof if found a small backdoor installed as /usr/bin/getty. So far as I can see it's just a simple backdoor, only connecting to it with netcat didnt give me what I tought I should get. Anyone any idears? I've put the "getty" on one of my boss' machines, it can be found on http://sms.pts.nl/renee/getty.gz (4KB). Strings gives me something that could be a userid or something like this. Anyone seen thisone before? And I think they got in using a faulty telnetd. Cheers, Renee. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 18 2001 - 10:21:20 PDT