On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote: > I found suspicious looking files on a Redhat 7.1 Linux server earlier > today. Can anyone confirm or deny that the machine has been hacked? Oh ya. Maybe more than once. > According to an rpm -V, all kinds of binaries have been changed: ps, > top, netstat, ifconfig, ... > > I copied a good version of ps in and found the two afb processes > running. > > Anyone know about this hack, what afb does and/or how they usually get > in? http://www.chkrootkit.org/ Chkrootkit might be able to diagnose your problems. I'd hit http://www.google.com, and http://isc.incidents.org/ and see what pops up. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arltat_private University Of Calgary (_)/(_) I should be biking right now. Computer Science ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:28:14 PST