Re: RootKits QuestionFrom: Martin Ostlund (email@example.com)
- Previous message: Devdas Bhagat: "Re: RootKits Question"
- In reply to: Nick Lange: "RootKits Question"
- Next in thread: David Ramsden: "Re: RootKits Question"
- Reply: David Ramsden: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Aug 2001 20:16:30 +0300 (EEST) From: Martin Ostlund <firstname.lastname@example.org> To: Nick Lange <email@example.com> Subject: Re: RootKits Question Message-ID: <Pine.LNX.firstname.lastname@example.org>
On Wed, 1 Aug 2001, Nick Lange wrote:
> The machine was a redhat install but patched up from all relevant security
> advisories (or so I thought, the only one I can see is maybe xinetd)...
Hi. One can never be secured enough:)
> anyone seen anything? a quick search for /sbin/a.out reveals nothing
> it may have been datapipe.c but I doubt that as well, as it's simply a port
> forwarder [for auth port]
Have you tried strings /sbin/a.out ? strings will print out
all readable text from a binary, also check which date and time it was
created, and if something shows up in messages/syslog around that
date and time. Try to check for backdoors, netstat -atn | grep LIST