Re: hpd, afb, sc, and sn
From: Brad Arlt (arlt@cpsc.ucalgary.ca)
Date: 12/20/02
- Previous message: Greg Barnes: "Re: hpd, afb, sc, and sn"
- In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
- Next in thread: Bojan Zdrnja: "RE: hpd, afb, sc, and sn"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Dec 2002 15:28:48 -0700 From: Brad Arlt <arlt@cpsc.ucalgary.ca> To: Gordon Chamberlin <glac@visualize.com>
On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:
> I found suspicious looking files on a Redhat 7.1 Linux server earlier
> today. Can anyone confirm or deny that the machine has been hacked?
Oh ya. Maybe more than once.
> According to an rpm -V, all kinds of binaries have been changed: ps,
> top, netstat, ifconfig, ...
>
> I copied a good version of ps in and found the two afb processes
> running.
>
> Anyone know about this hack, what afb does and/or how they usually get
> in?
Chkrootkit might be able to diagnose your problems. I'd hit
http://www.google.com, and http://isc.incidents.org/ and see what pops
up.
-----------------------------------------------------------------------
__o Bradley Arlt Security Team Lead
_ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) I should be biking right now. Computer Science
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: Curt Wilson: "TsInternetUser priv. escalation; blank passwords; service passwords"
- Previous message: Greg Barnes: "Re: hpd, afb, sc, and sn"
- In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
- Next in thread: Bojan Zdrnja: "RE: hpd, afb, sc, and sn"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
