DoS Tool Identification

From: Seth Milder (mrseth_at_physics.gmu.edu)
Date: 02/25/04

Next message: Martin: "Re: DoS Tool Identification"

Previous message: GUSAIN,SUBODH (HP-Canada,ex1): "RE: OpenSSH anomaly"
Next in thread: Martin: "Re: DoS Tool Identification"
Reply: Martin: "Re: DoS Tool Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 25 Feb 2004 15:28:17 -0500
To: incidents@securityfocus.com

Does anyone know what this might be? Here is the ps and lsof identification:

root 6543 26.0 0.0 1336 276 ? SN Feb24 351:37 httpd
10000 149.xxx.xxx.xxx 113

[root@xxx.xxx.xxx.xxx httpd]# lsof -p 6543
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 6543 root cwd DIR 8,23 0 420993 /tmp/.x (deleted)
httpd 6543 root rtd DIR 8,2 4096 2 /
httpd 6543 root txt REG 8,23 5388 420994 /tmp/.x/httpd
(deleted)
httpd 6543 root mem REG 8,2 89547 484644 /lib/ld-2.2.5.so
httpd 6543 root mem REG 8,2 1402035 226126
/lib/i686/libc-2.2.5.so
httpd 6543 root 0r CHR 1,3 162462 /dev/null
httpd 6543 root 1w REG 8,23 0 420995 /tmp/.x/nohup.out
(deleted)
httpd 6543 root 2w REG 8,23 0 420995 /tmp/.x/nohup.out
(deleted)
httpd 6543 root 3u sock 0,0 2377 can't identify
protocol
httpd 6543 root 4u raw 63164463
00000000:0006->00000000:0000 st=07

I also found the attached file that was being executed in
/etc/rc.d/rc.local in /dev/rd/c0dO/bd.out. It spawns a process that
makes it look like it's /usr/sbin/named.

Thanks for any info on this!

-- 
Seth Milder
Department of Physics and Astronomy
MS 3f3
George Mason University
Fairfax, VA
--
I'll give you my opinion of the human race in a nutshell ... their
heart's in the right place, but their head is a thoroughly inefficient
organ. -- W. Somerset Maugham, "The Summing Up"

---------------------------------------------------------------------------
----------------------------------------------------------------------------

application/x-tar attachment: bd.out.gz

Next message: Martin: "Re: DoS Tool Identification"

Previous message: GUSAIN,SUBODH (HP-Canada,ex1): "RE: OpenSSH anomaly"
Next in thread: Martin: "Re: DoS Tool Identification"
Reply: Martin: "Re: DoS Tool Identification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Help in finding a file needed
... COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ... running lsof, but renaming the open file instead will show the new ... TeXShop 216 rowland txt VREG ...
(uk.comp.sys.mac)
Re: OSS device "/dev/dsp" is already in use by another program
... Try using lsof (may be installed by running `apt-get install lsof`) on the ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ... You may then use kill to kill the process by pid. ...
(Debian-User)
security question
... lsof: WARNING: can't stat() reiserfs file system /dev/.static/dev ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ...
(Debian-User)
Re: Help in finding a file needed
... The lsof program will tell you this information, ... COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ...
(uk.comp.sys.mac)