Hey.. From what I can see you've been rooted by this "group" called hoax. They probably just had some rootkit laying around. All very simple. But still you need to take to take action, my guess is that those guys aren't pros. Run chkrootkit (ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz) for backdoors/infected binaries. and you really need to check your local security. I don't know what your situation is like but I would've shut down most of my services/users and start looking for backdoors/traces and such. Feel free to send me those tarballs if you want, I could browse em through quick. // Mattias Hedenskog > I've just received word that one of our customers was rooted, and he's > asking about the file ".haos". Nothing rings any bells, has anyone heard > of it? > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- irc:tsixla@efnet,irscnet mail:tsixlaat_private http://tsixla.antisec.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 16:49:24 PST