hi, My box was compromised, and i cant rm a binary
that listens over tcp, i need help support, watch:
1. %nmap foo
....
898/tcp open unknown
2. %nc foo 898
HTTP/1.0 400 Bad Request
Date: Sat, 22 Jun 2002 16:36:02 GMT
Server: Tomcat/2.1
Content-Type: text/html
<h1>Error: 400</h1>
No detailed message
3. %netstat
...
30001303a88 stream-ord 3000108acd8 00000000
/tmp/smc898/cmdsock
4. % /usr/local/bin/lsof -U
java 436 root 25u unix 105,25 0t0 35169
/devices/pseudo/tl@0:ticots->
/tmp/smc898/cmdsock (0x30001303a88)
(Vnode=0x3000108acd8)
5. %find / -inum 35169 -print -exec ls -sal {} \;
/var/sadm/pkg/SUNWapdoc
total 34
2 drwxr-xr-x 4 root root 512 Mar 24
2001 .
26 dr-xr-xr-x 680 root sys 13312 Jun 22
20:58 ..
2 drwxr-xr-x 2 root root 512 Mar 24
2001 install
2 -rw-r--r-- 1 root root 932 Mar 24
2001 pkginfo
2 drwxr-xr-x 2 root root 512 Mar 24
2001 save
/devices/pseudo/tl@0:ticots
0 crw-rw-rw- 1 root sys 105, 0 Mar 24
2001 /devices/pseudo/tl@0:
ticots
Ok, What's happening?, I am very confused, the inode
number fsol show points to a direcroty and a character
device. How can i stop
that listening binary?
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jun 22 2002 - 21:42:12 PDT