Re: New Rootkit?
From: Jeffrey Denton (dentonj_at_c2i2.com)
Date: 10/16/03
- Previous message: Dan Hanson: "New Article: Incident Response Tools For Unix, Part Two"
- In reply to: Probe Networks: "New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Oct 2003 12:19:38 -0700 (MST) To: "Jonas Frey (Probe Networks)" <jf@probe-networks.de>
$ strings server
. . .
200.241.173.21
Must be ran as root.
socket
bind
setsockopt
newserver
stream
ping
pong
fork
Forked into background, pid %d
./at 0 %s 1 65535 1 %d 1>/dev/null 2>/dev/null
server.c
/usr/.xmag/mstream/
. . .
http://staff.washington.edu/dittrich/misc/mstream.analysis.txt
The strings fingerprint is similar. You may want to look at what else
is in the /usr/.xmag directory.
dentonj
---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security
Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console
Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------
- Previous message: Dan Hanson: "New Article: Incident Response Tools For Unix, Part Two"
- In reply to: Probe Networks: "New Rootkit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
