> -----Original Message----- > From: Gordon Chamberlin [mailto:glacat_private] > Sent: 20. prosinac 2002 22:12 > To: incidentsat_private > Subject: hpd, afb, sc, and sn > > > The contents of hpd are: > #!/bin/sh > /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null > /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null Rootkit doesn't seem familiar to me, but this is almost certanly some backdoor service listening at port 7000 (-p flag), which your nmap showed later. You can maybe try telneting to localhost port 7000 to see what banner you get. > According to an rpm -V, all kinds of binaries have been > changed: ps, top, netstat, ifconfig, ... > > I copied a good version of ps in and found the two afb > processes running. Well, if you didn't see afb processes before (with old ps), your machine is 100% compromised with binaries of common utilities changed. > Anyone know about this hack, what afb does and/or how they > usually get in? If you can post those files people can analyze them. In any case, I'd suggest making image of machines HDD (for later analysis) and reinstalling everything from the scratch as it's pretty obvious someone started rootkit on it. Also, you can try starting chrootkit on your machine to see what output you'll get. Latest version was released yesterday (v0.38) so I'd suggest download of it and running it on compromised machine: http://www.chkrootkit.org/ Best regards, Bojan Zdrnja ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:27:23 PST