RE: a compromised machine
Kernel root kits are very good at hiding themselves when they are
running.
Best way is to mount the had drive in another box as /mnt or something
and run chkrootkit over it and also md5sum known hacked binaries like ls
etc.
> OK :)
>
> So, for now i killed this process, disabled the cronjob and killed web
> server - there is now way the attacker is capable of coming back into
> server or is there a chance that there is another backdoor installed
> somewhere (chkrootkit doesn't find anything).
>
> Nejc
>
> Marcin Owsiany wrote:
>
> >On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
> >
> >
> >>On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
> >>
> >>
> >>>Can you get any information out of this cron file? I tried creating
the
> >>>same exec that this file creats, but obiously i was doing sth wrong
:)
> >>>
> >>>
> >>The crontab writes out a binary file and executes it. I straced the
> >>binary on a virtual machine with no network.
> >>
> >>It's attempting to connect to two different hosts:
> >>
> >>210.169.91.66:5454
> >>
> >>
> >
> >This is an IRC server. The program seems to be an IRC zombie.
> >
> >Marcin
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
Reply to: