I would recommend a complete reinstall...you can boot from a clean image from a CD, mount the harddrive, get what you need off of the system, and then reinstall. Search the archives at http://archives.neohapsis.com/ and you should see most people recommend this as the only safe alternative. > -----Original Message----- > From: Fabio Miranda [mailto:fmirandat_private] > Sent: Saturday, June 22, 2002 11:02 PM > To: incidentsat_private > Subject: backdoor > > > hi, My box was compromised, and i cant rm a binary > that listens over tcp, i need help support, watch: > 1. %nmap foo > .... > 898/tcp open unknown > > 2. %nc foo 898 > HTTP/1.0 400 Bad Request > Date: Sat, 22 Jun 2002 16:36:02 GMT > Server: Tomcat/2.1 > Content-Type: text/html > <h1>Error: 400</h1> > No detailed message > > 3. %netstat > ... > 30001303a88 stream-ord 3000108acd8 00000000 > /tmp/smc898/cmdsock > > 4. % /usr/local/bin/lsof -U > java 436 root 25u unix 105,25 0t0 35169 > /devices/pseudo/tl@0:ticots-> > /tmp/smc898/cmdsock (0x30001303a88) > (Vnode=0x3000108acd8) > > 5. %find / -inum 35169 -print -exec ls -sal {} \; > /var/sadm/pkg/SUNWapdoc > total 34 > 2 drwxr-xr-x 4 root root 512 Mar 24 > 2001 . > 26 dr-xr-xr-x 680 root sys 13312 Jun 22 > 20:58 .. > 2 drwxr-xr-x 2 root root 512 Mar 24 > 2001 install > 2 -rw-r--r-- 1 root root 932 Mar 24 > 2001 pkginfo > 2 drwxr-xr-x 2 root root 512 Mar 24 > 2001 save > /devices/pseudo/tl@0:ticots > 0 crw-rw-rw- 1 root sys 105, 0 Mar 24 > 2001 /devices/pseudo/tl@0: > ticots > > > Ok, What's happening?, I am very confused, the inode > number fsol show points to a direcroty and a character > device. How can i stop > that listening binary? > > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jun 23 2002 - 12:08:48 PDT