Re: I've been hacked by DevilSoul

To: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Cc: Alan Aldrich <alanaldrich@attbi.com>, debian-security@lists.debian.org
Subject: Re: I've been hacked by DevilSoul
From: Jacques Lav!gnotte <jaclavi@pollux.frmug.org>
Date: Fri, 11 Jan 2002 13:32:07 +0100
Message-id: <[🔎] 20020111133207.C24168@pollux.frmug.org>
In-reply-to: <[🔎] Pine.LNX.3.96.1020110201347.30375A-100000@Maggie.Linux-Consulting.com>; from aoga@Maggie.Linux-Consulting.com on Thu, Jan 10, 2002 at 08:31:00PM -0800
References: <[🔎] 001b01c19a54$d4874610$1033f60c@netbandit> <[🔎] Pine.LNX.3.96.1020110201347.30375A-100000@Maggie.Linux-Consulting.com>

On Thu, Jan 10, 2002 at 08:31:00PM -0800, Alvin Oga wrote:

> - if you think they used a simple/ordinary rootkits... you can 
>   try some of the rootkit detectors
> 
> 	http://www.chkrootkit.org/

Great tool....

Got : 

Searching for t0rn's default files and dirs... Possible t0rn rootkit installed
Searching for t0rn's v8 defaults... nothing found

ALL The rest of the log is clean....

A RootKit was installed, only the sniffer was used...

Any idea of what the «default files and dirs» are ?

         Tks,         Jacques

-- 

            0CBE 3F8A 5A77 A35C 27C7  2D42 3EC5 806B 9178 088D

Attachment: pgpe9K4dFkQvS.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: I've been hacked by DevilSoul
  - From: Christoph Wegener <cwe@bph.ruhr-uni-bochum.de>
- Re: I've been hacked by DevilSoul
  - From: "Alan Aldrich" <alanaldrich@attbi.com>

References:
- I've been hacked by DevilSoul
  - From: "Alan Aldrich" <alanaldrich@attbi.com>
- Re: I've been hacked by DevilSoul
  - From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>

Prev by Date: Re: I've been hacked by DevilSoul - confusion
Next by Date: Re: I've been hacked by DevilSoul
Previous by thread: Re: I've been hacked by DevilSoul
Next by thread: Re: I've been hacked by DevilSoul
Index(es):
- Date
- Thread