RootKits Question
From: Nick Lange (nlange@usb.com)Date: 08/01/01
- Previous message: The Psychotic Viper: "Re: Question"
- Next in thread: Devdas Bhagat: "Re: RootKits Question"
- Reply: Devdas Bhagat: "Re: RootKits Question"
- Reply: Martin Ostlund: "Re: RootKits Question"
- Reply: James Oden: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <004601c11a8b$69c2e080$8b0110ac@majik> From: "Nick Lange" <nlange@usb.com> To: <focus-linux@securityfocus.com> Subject: RootKits Question Date: Wed, 1 Aug 2001 08:11:01 -0500
Does anyone know of any rootkits off the top of their head that leave a
/sbin/a.out behind?
I'm fairly certain I got rooted two days ago (didn't look at yesterdays
security report like an idiot...)
the md5 / file checks show a new file, /sbin/a.out with MD5
0x4b689a480ff3ff85862e94d05125ac26 : /sbin/a.out
The machine was a redhat install but patched up from all relevant security
advisories (or so I thought, the only one I can see is maybe xinetd)...
I left sshd, apache + php 4.0.6,datapipe.c (see www.rootshell.com / search),
mysql*[I meant to firewall that off but never got around to it] listening on
the external interface, and I *had* no local users so it has to be something
there...
anyone seen anything? a quick search for /sbin/a.out reveals nothing
it may have been datapipe.c but I doubt that as well, as it's simply a port
forwarder [for auth port]
nick
- Previous message: The Psychotic Viper: "Re: Question"
- Next in thread: Devdas Bhagat: "Re: RootKits Question"
- Reply: Devdas Bhagat: "Re: RootKits Question"
- Reply: Martin Ostlund: "Re: RootKits Question"
- Reply: James Oden: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
