Re: RootKits Question
From: Martin Ostlund (mo@ares.sot.com)Date: 08/01/01
- Previous message: Devdas Bhagat: "Re: RootKits Question"
- In reply to: Nick Lange: "RootKits Question"
- Next in thread: David Ramsden: "Re: RootKits Question"
- Reply: David Ramsden: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 1 Aug 2001 20:16:30 +0300 (EEST) From: Martin Ostlund <mo@ares.sot.com> To: Nick Lange <nlange@usb.com> Subject: Re: RootKits Question Message-ID: <Pine.LNX.4.10.10108012015440.9797-100000@ares.sot.com>
On Wed, 1 Aug 2001, Nick Lange wrote:
> The machine was a redhat install but patched up from all relevant security
> advisories (or so I thought, the only one I can see is maybe xinetd)...
Hi. One can never be secured enough:)
> anyone seen anything? a quick search for /sbin/a.out reveals nothing
> it may have been datapipe.c but I doubt that as well, as it's simply a port
> forwarder [for auth port]
> nick
Have you tried strings /sbin/a.out ? strings will print out
all readable text from a binary, also check which date and time it was
created, and if something shows up in messages/syslog around that
date and time. Try to check for backdoors, netstat -atn | grep LIST
-martin
- Previous message: Devdas Bhagat: "Re: RootKits Question"
- In reply to: Nick Lange: "RootKits Question"
- Next in thread: David Ramsden: "Re: RootKits Question"
- Reply: David Ramsden: "Re: RootKits Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
