Gordon, Check out: http://www.ebagu.com/hacked.html Friday, December 20, 2002, 3:11:31 PM, you wrote: GC> I found suspicious looking files on a Redhat 7.1 Linux server earlier GC> today. Can anyone confirm or deny that the machine has been hacked? GC> The files: GC> /usr/bin/hpd GC> /usr/bin/afb GC> /usr/bin/sn GC> The following line is in /etc/rc.local: GC> /usr/bin/./hdp -T38400 -t linux -d /dev/tty >>/dev/null GC> The contents of hpd are: GC> #!/bin/sh GC> /usr/bin/./afb -f /bin/sc -q -p 5 -h /bin/hk >/dev/null GC> /usr/bin/./afb -f /bin/sc -q -p 7000 -h /bin/hk >/dev/null GC> namp reports the following ports open: GC> Port State Service GC> 5/tcp open rje GC> 22/tcp open ssh GC> 25/tcp open smtp GC> 53/tcp open domain GC> 80/tcp open http GC> 111/tcp open sunrpc GC> 443/tcp open https GC> 808/tcp open unknown GC> 1024/tcp open kdm GC> 3306/tcp open mysql GC> 7000/tcp open afs3-fileserver GC> 8009/tcp open ajp13 GC> According to an rpm -V, all kinds of binaries have been changed: ps, GC> top, netstat, ifconfig, ... GC> I copied a good version of ps in and found the two afb processes GC> running. GC> Anyone know about this hack, what afb does and/or how they usually get GC> in? GC> Embarrassedly, GC> -Gordon - Regards, Greg Barnes DotDot: greg at ins.com CISA/CISSP RingRing: 918-630-3228 CCSA/CCSE BeepBeep: 800-467-1467 "But, alas, how frequently, how almost universal it is in an author to persuade himself of the truth of his own dogmas." --Darwin PGP Fingerprint: 723E 7CAD 4EF5 D904 1EE8 5279 71A5 A594 E6A7 C48E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:28:22 PST