hi, My box was compromised, and i cant rm a binary that listens over tcp, i need help support, watch: 1. %nmap foo .... 898/tcp open unknown 2. %nc foo 898 HTTP/1.0 400 Bad Request Date: Sat, 22 Jun 2002 16:36:02 GMT Server: Tomcat/2.1 Content-Type: text/html <h1>Error: 400</h1> No detailed message 3. %netstat ... 30001303a88 stream-ord 3000108acd8 00000000 /tmp/smc898/cmdsock 4. % /usr/local/bin/lsof -U java 436 root 25u unix 105,25 0t0 35169 /devices/pseudo/tl@0:ticots-> /tmp/smc898/cmdsock (0x30001303a88) (Vnode=0x3000108acd8) 5. %find / -inum 35169 -print -exec ls -sal {} \; /var/sadm/pkg/SUNWapdoc total 34 2 drwxr-xr-x 4 root root 512 Mar 24 2001 . 26 dr-xr-xr-x 680 root sys 13312 Jun 22 20:58 .. 2 drwxr-xr-x 2 root root 512 Mar 24 2001 install 2 -rw-r--r-- 1 root root 932 Mar 24 2001 pkginfo 2 drwxr-xr-x 2 root root 512 Mar 24 2001 save /devices/pseudo/tl@0:ticots 0 crw-rw-rw- 1 root sys 105, 0 Mar 24 2001 /devices/pseudo/tl@0: ticots Ok, What's happening?, I am very confused, the inode number fsol show points to a direcroty and a character device. How can i stop that listening binary? __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 21:42:12 PDT