Re: Visited by a cracker

• Previous message: Mircea MITU: "Re: Visited by a cracker"
• In reply to: Per Christian B. Viken: "Visited by a cracker"
• Next in thread: Anthony R. Plastino III: "Re: Visited by a cracker"
• Reply: Anthony R. Plastino III: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: focus-linux@securityfocus.com
Date: Mon, 12 Jul 2004 08:22:13 -0400

I just ran the first two against a fully patched RH9 system with no luck.
ptrace kept running in memory. The other is also the kernel exploit which has
been patched by every distro out there

[wind@wind0 wind]$ chmod +x egx
[wind@wind0 wind]$ ./egx
[-] Unable to change page protection: Cannot allocate memory
[-] Unable to exit, entering neverending loop.

[1]+ Stopped ./egx
[wind@wind0 wind]$
[wind@wind0 wind]$ uname -r
2.4.20-30.9smp

Mike

On Sunday 11 July 2004 10:45, Per Christian B. Viken wrote:
> Hello
>
> I've had a rather disturbing evening.
> A friend of mine runs a small server for himself and some friends. It's
> running slackware 10.
> When I logged in, I noticed that the load was way over what's normal
> (around 1.36 now, usually it's under 0.10), so I run 'top'. I see a program
> called 'strace' running, hogging all the cpu power.
>
> So I get curious. I chdir to the users home, and looks around. It's empty.
> But, the 'smart' little cracker has forgotten about .bash_history, so here
> I can see everything that he has been doing.
> Aparently, he has downloaded and setup an eggdrop, removed it again, and
> then downloaded a psybnc, which he also removed shortly. Then things get
> interesting.
>
> <SNIP>

• Previous message: Mircea MITU: "Re: Visited by a cracker"
• In reply to: Per Christian B. Viken: "Visited by a cracker"
• Next in thread: Anthony R. Plastino III: "Re: Visited by a cracker"
• Reply: Anthony R. Plastino III: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]