('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.43.0203110937340.11382-100000at_private> I recently had an unpatched redhat 7.2 machine hacked. I discovered a UDP port 3049 listening process... The process binary was ./v After the compromise I recorded most of the volatile info and finding a binary 'v' in "/dev/.. " (three spaces) and assumed it was the ./v listening to 3049. Mistake. The ./v in the "/dev/.. " directory was the Vanish II program. Now I have to analyze the unallocated inodes to find the ./v program listening to port 3049. Biggest problem now is time. They keep me busy around here.... Will post the findings as time permits.... Thomas Akin -- Thomas Akin, CISSP Director, Southeast Cybercrime Institute takinat_private www.cybercrime.kennesaw.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 08:45:40 PST