xsf/xchk

From: Vladimir Ivaschenko (hazardat_private)
Date: Tue Jan 22 2002 - 08:20:19 PST

  • Next message: Kyle R Maxwell: "shaft client to handler?"

    Hi,
    
    Today a RedHat 7.1 Linux machine of my friend was compromised.  
    I have just started investigating, so I don't have any 
    information of how it was done. After attack login via console 
    stopped working.
    
    I have found the following files in /usr/bin: xchk and xsf. They
    are started from /etc/rc.d/rc.sysinit. xsf is an ssh daemon
    sitting on port 14859. I don't know what is the purpose of xchk.
    killall and ps were also replaced by programs which hide xsf and
    xchk.
    
    Does anyone saw something similar before and can point me to some 
    information? I tried searching for xsf / xchk in Google and 
    didn't have any results.
    
    -- 
    Best Regards
    Vladimir Ivaschenko
    Certified Linux Engineer (RHCE)
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 10:21:57 PST