RE: Questions = Thanks

From: Ihsahn Diablo (
Date: 11/21/01

From: "Ihsahn Diablo" <>
Subject: RE: Questions = Thanks
Date: Wed, 21 Nov 2001 21:19:44 +0000
Message-ID: <>

>From: "Mark Piper" <>
>Reply-To: <>
>To: "'Ihsahn Diablo'" <>
>Subject: RE: Questions
>Date: Thu, 22 Nov 2001 09:32:42 +1300
>Hash: SHA1
>Hi Ihsahn,
>Adore is a popular rootkit for redhat 6.x servers, I cant remember
>the link to the information on it, but I will Hunt it out for you...
>As for DP, it appears to redirect ports form your local machine to a
>remote host.... I have dp.c someplace round here, I will hunt it out
>for you...
>Could you please show us the results of a netstat -a? It shouldnt be
>too hard to spot how the intruders got in.
>Hope this helps =)
>Mark Piper

   Thanks Mark, but i know what adore is (thanks to mike lewinski). My
server have Redhat7.0, update it daily, every patch existent is applied.
Soon i will upgrade him to Redhat 7.2
   I'll thanks everybody who answered at may mail, and my conclusion is : dp
is "datapipe" :), i beleaved it is a remote exploit. The way they entered in
my system is fairly simple: they cracked another server witch have rights on
mine (hosts.allow rulez), this is my conclusion after 2 days and 2 nights
with no sleep to find how they entered (and a lot of phones :) ).
  I repet, i beleaved dp is a remote exploit, so i was't fairly scared
becaused i don't know about him.

   Chkrootkit was the first thing i'll did it. The second was'ed to check
the other servers. Is strange, i'll found it (the rk) in one server and not
on the others too.

  So i have one more thing to ask you: to give me some good links about what
to do after a break or what to do if somebody is in the middle of an atack.

Thanks a lot for your help,

Best regards,


Get your FREE download of MSN Explorer at

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

Relevant Pages