Questions

From: Ihsahn Diablo (traktopikaat_private)
Date: Wed Nov 21 2001 - 04:54:02 PST

Next message: Tom Fischer: "new trojan?"

Previous message: Shaun Dewberry: "SSH CRC32? What am I seeing?"
Next in thread: Aaron: "Re: Questions"
Reply: Aaron: "Re: Questions"
Reply: Mike Lewinski: "Re: Questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heya,


   I have a question about something i don't know why is on my server. So 
the situation is that:
  - i found a directory /dev/.,
  - his contains is:

drwxrwxr-x    5 root     root         4096 Nov 14 15:37 .
drwx------   17 root     root         4096 Nov 21 10:52 ..
drwxr-xr-x    2 root     root         4096 Oct  3 04:21 adore
-rwxr-xr-x    1 root     root         5812 Oct  3 04:21 bechap
-rwxr-xr-x    1 root     root          734 Oct  3 04:21 cl
-rwxr-xr-x    1 root     root          105 Oct  3 04:21 clin
-rwxr-xr-x    1 root     root         6928 Oct  3 04:21 dp
-rwxrwxr-x    1 root     root         16285 Oct  3 03:44 epcs
-rwxr-xr-x    1 root     root         1474 Oct  3 04:21 inetd
drwxr-xr-x    2 root     root         4096 Oct  3 04:21 init
drwxr-xr-x    2 root     root         4096 Nov  6 14:22 pids
-rwxr-xr-x    1 root     root         5080 Oct  3 04:21 portscan
-rw-r--r--    1 root     root       202894 Oct  3 04:16 psibenece.tar.gz
-rw-r--r--    1 root     root         6413 Nov  6 14:22 ribut.log
-rw-r--r--    1 root     root      5086340 Nov 14 14:05 snifflog
-rw-rw-rw-    1 root     root       137790 Nov 14 13:58 ssh.log
-rw-r--r--    1 root     root           46 Oct  3 04:21 var

  - the analize of this files results:
   1. is a rootkit
   2. the rootkit has a cleaner for logs, a portscaner, some logs, and a 
psybnc.
   3. in /usr/sbin/ i found it "in.ttyd" witch is a sshd2 and he listen on 
port 60598,and config.cfg witch is a configuration file for the sniffer "1s" 
( one s ) found it in /usr/sbin/.
   4. epcs is a local exploit , and dp i think is a remote one.

./dp
Usage: ./dp localport remoteport remotehost


    So, somebody know or saw this kind of rootkit and can tell me more about 
it ? And i'm interested what is DP, is a exploit remote for what ?
Because i think is the way witch the attacker entered in my system.

Sorry for my poor english,

Best regards,


Goba

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Tom Fischer: "new trojan?"
Previous message: Shaun Dewberry: "SSH CRC32? What am I seeing?"
Next in thread: Aaron: "Re: Questions"
Reply: Aaron: "Re: Questions"
Reply: Mike Lewinski: "Re: Questions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 08:33:58 PST