Rootkit or trojan
From: Jason Robertson (jason@ifuture.com)Date: 04/23/02
- Previous message: H C: "Re: Port 6588 Probes from SA"
- In reply to: Dan Irwin: "RE: illogic rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jason Robertson" <jason@ifuture.com> To: "'incidents@securityfocus.com'" <incidents@securityfocus.com> Date: Mon, 22 Apr 2002 23:37:45 -0400
Okay I am wondering if anyone has seen a rootkit or trojan with the
following files (please note, I do not have access to this machine
directly, so this is only from a remote cursory view)
The OS is Sun OS 2.5 (I know I know)
First the executable
/usr/bin/xntpx was created this program seems to be some icmp utility,
which creates a large stream of ICMP traffic, the traffic we noticed
was ICMP packets > 1024 to address 0.0.0.0
Second /tmp/x which was run with xinetd /tmp/x
Third /var/adm/* had the mode 666
That was all of the information I had direct access too, though if I
remember there was also a trojan sshd using the name ssld, and modcheck
if I remember running as well
Jason
-- Jason Robertson Now at the Nation Research Council.---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: H C: "Re: Port 6588 Probes from SA"
- In reply to: Dan Irwin: "RE: illogic rootkit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
