Okay I am wondering if anyone has seen a rootkit or trojan with the following files (please note, I do not have access to this machine directly, so this is only from a remote cursory view) The OS is Sun OS 2.5 (I know I know) First the executable /usr/bin/xntpx was created this program seems to be some icmp utility, which creates a large stream of ICMP traffic, the traffic we noticed was ICMP packets > 1024 to address 0.0.0.0 Second /tmp/x which was run with xinetd /tmp/x Third /var/adm/* had the mode 666 That was all of the information I had direct access too, though if I remember there was also a trojan sshd using the name ssld, and modcheck if I remember running as well Jason -- Jason Robertson Now at the Nation Research Council. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 23 2002 - 11:14:11 PDT