On Fri, 22 Feb 2002, Matt K. wrote: > They most likely got in via dtspcd or ttdbserver. Run strings on > /usr/ucb/ps and see if you see 'sexygurl' near the end. Also, check the > dates on files such as /bin/ls. The rookit doesn't seem to change the Also these: -r-sr-xr-x 1 root root 17156 Jan 14 20:56 m68k -rwxr-xr-x 1 root root 301632 Jan 14 20:56 mc68000 -r-xr-xr-x 1 root root 9296 Jan 14 20:56 mc68010 -r-sr-xr-x 1 root root 36520 Jan 14 20:56 mc68020 -r-xr-xr-x 1 root root 20064 Jan 14 20:56 mc68030 -r-xr-sr-x 1 root root 55168 Jan 14 20:56 mc68040 -rwxr-xr-x 1 root root 558868 Jan 14 20:56 sshd2 -r-sr-sr-x 1 root root 101744 Jan 14 20:56 sun2 -r-sr-xr-x 1 root root 48028 Jan 14 20:56 sun3 -r-xr-xr-x 1 root root 9028 Jan 14 20:56 sun3x -r-sr-xr-x 1 root root 29200 Jan 14 20:56 u370 -r-xr-xr-x 1 root root 5256 Jan 14 20:57 w (cut/paste from a machine I fixed 2 weeks ago. Dates are when our machine got hacked, not relavant for you). Specificly, u370 was the real login, and login was replaced. They replace the program that ID cpu types that will never be run. ========================================================== Chris Candreva -- chrisat_private -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 25 2002 - 15:32:21 PST