RootKits Question

From: Nick Lange (
Date: 08/01/01

Message-ID: <004601c11a8b$69c2e080$8b0110ac@majik>
From: "Nick Lange" <>
To: <>
Subject: RootKits Question
Date: Wed, 1 Aug 2001 08:11:01 -0500

Does anyone know of any rootkits off the top of their head that leave a
/sbin/a.out behind?
I'm fairly certain I got rooted two days ago (didn't look at yesterdays
security report like an idiot...)
the md5 / file checks show a new file, /sbin/a.out with MD5
0x4b689a480ff3ff85862e94d05125ac26 : /sbin/a.out

The machine was a redhat install but patched up from all relevant security
advisories (or so I thought, the only one I can see is maybe xinetd)...

I left sshd, apache + php 4.0.6,datapipe.c (see / search),
mysql*[I meant to firewall that off but never got around to it] listening on
the external interface, and I *had* no local users so it has to be something
anyone seen anything? a quick search for /sbin/a.out reveals nothing
it may have been datapipe.c but I doubt that as well, as it's simply a port
forwarder [for auth port]