Re: Rootkit?

To: <debian-isp@lists.debian.org>
Subject: Re: Rootkit?
From: "Domainbox, Tim Abenath" <ta@domainbox.de>
Date: Fri, 11 Jul 2003 16:40:51 +0200
Message-id: <[🔎] 007701c347ba$6d150890$2820a8c0@paul>
References: <656F04F343FC25409463829A15B5FDDC3F959A@netwake-nt.netwake.de> <[🔎] 003801c34799$09e33740$2820a8c0@paul> <[🔎] 3F0EC0D9.2010406@robibaro.com>

Hello,

> Did you copy the gzip binary under the gzip name, or under another, and
> of course, the machine was "possibly infected" at the time?

Uh, i got so much stuff in my mind today, it's hard to remember ;-)
I think tried to ftp' the clean gzip binary named as 'gzip' and 'foo',
both where then infected.

> If so, it would tend to indicate a similar situation to what I had, on a
> non-debian box, where a certain list of binaries were hijacked through
> ld_preload tricks and uninfected copies were on the file system, but
> infection wrappers in /proc were run before each one...

Well, i will put the 'infected' disc into an other clean box at the weekend
and see what i can find...

Reply to:

References:
- Re: Rootkit?
  - From: "Domainbox, Tim Abenath" <ta@domainbox.de>
- Re: Rootkit?
  - From: E R <robibaro@robibaro.com>

Prev by Date: Re: Rootkit?
Next by Date: Re: woody + proftpd + ldap = segfault
Previous by thread: Re: Rootkit?
Next by thread: woody + proftpd + ldap = segfault
Index(es):
- Date
- Thread