RE: backdoor

From: Rob Keown (Keownat_private)
Date: Sun Jun 23 2002 - 09:20:12 PDT

Next message: Hugo van der Kooij: "Re: backdoor"

Previous message: steveg: "Re: backdoor"
Maybe in reply to: Fabio Miranda: "backdoor"
Next in thread: Hugo van der Kooij: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would recommend a complete reinstall...you can boot from a clean image
from a CD, mount the harddrive, get what you need off of the system, and
then reinstall. 

Search the archives at http://archives.neohapsis.com/ and you should see
most people recommend this as the only safe alternative.

> -----Original Message-----
> From: Fabio Miranda [mailto:fmirandat_private]
> Sent: Saturday, June 22, 2002 11:02 PM
> To: incidentsat_private
> Subject: backdoor
> 
> 
> hi, My box was compromised, and i cant rm a binary
> that listens over tcp, i need help support, watch:
> 1. %nmap foo
> ....
> 898/tcp    open        unknown
> 
> 2. %nc foo 898
> HTTP/1.0 400 Bad Request
> Date: Sat, 22 Jun 2002 16:36:02 GMT
> Server: Tomcat/2.1
> Content-Type: text/html
> <h1>Error: 400</h1>
> No detailed message
> 
> 3. %netstat
> ...
> 30001303a88 stream-ord 3000108acd8 00000000
> /tmp/smc898/cmdsock
> 
> 4. % /usr/local/bin/lsof -U
> java    436 root   25u  unix 105,25      0t0 35169
> /devices/pseudo/tl@0:ticots->
> /tmp/smc898/cmdsock (0x30001303a88)
> (Vnode=0x3000108acd8)
> 
> 5. %find / -inum 35169 -print  -exec ls -sal {} \;
> /var/sadm/pkg/SUNWapdoc
> total 34
>    2 drwxr-xr-x   4 root     root         512 Mar 24 
> 2001 .
>   26 dr-xr-xr-x 680 root     sys        13312 Jun 22
> 20:58 ..
>    2 drwxr-xr-x   2 root     root         512 Mar 24 
> 2001 install
>    2 -rw-r--r--   1 root     root         932 Mar 24 
> 2001 pkginfo
>    2 drwxr-xr-x   2 root     root         512 Mar 24 
> 2001 save
> /devices/pseudo/tl@0:ticots
>    0 crw-rw-rw-   1 root     sys      105,  0 Mar 24 
> 2001 /devices/pseudo/tl@0:
> ticots
> 
> 
> Ok, What's happening?, I am very confused, the inode
> number fsol show points to a direcroty and a character
> device. How can i stop
>  that listening binary?
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
> 
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Hugo van der Kooij: "Re: backdoor"
Previous message: steveg: "Re: backdoor"
Maybe in reply to: Fabio Miranda: "backdoor"
Next in thread: Hugo van der Kooij: "Re: backdoor"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 12:08:48 PDT